Create ECS compliant index templates #270
Assignees
Labels
Comments
AlexRuiz7
added
level/task
This was referenced Jun 18, 2024
|
| Field | ECS field | Type | Description |
|---|---|---|---|
| uuid | agent.id |
keyword | Agent's ID |
| name | agent.name |
keyword | Agent's name |
| groups | *agent.groups |
keyword | Agent's groups |
| internal_key | *agent.key |
keyword | Agent's registration key |
| type | agent.type |
keyword | Type of agent |
| version | agent.version |
keyword | Agent's version |
| connection_status | *agent.is_connected |
boolean | Agents' interpreted connection status depending on agent.last_login |
| last_keepalive | *agent.last_login |
date | Agent's last login |
| ip | host.ip |
ip | Host IP addresses. Note: this field should contain an array of values. |
| os_* | host.os.full |
keyword | Operating system name, including the version or code name. |
* Custom field
ECS mapping
---
name: agent
fields:
base:
fields:
tags: []
agent:
fields:
id: {}
name: {}
type: {}
version: {}
groups: {}
key: {}
last_login: {}
is_connected: {}
host:
fields:
ip: {}
os:
fields:
full: {}---
---
- name: agent
title: Wazuh Agents
short: Wazuh Inc. custom fields.
type: group
group: 2
fields:
- name: groups
type: keyword
level: custom
description: >
The groups the agent belongs to.
- name: key
type: keyword
level: custom
description: >
The agent's registration key.
- name: last_login
type: date
level: custom
description: >
The agent's last login.
- name: is_connected
type: boolean
level: custom
description: >
Agents' interpreted connection status depending on `agent.last_login`.
Index settings
{
"index_patterns": [".agents*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"agent.name",
"agent.type",
"agent.version",
"agent.name",
"host.os.full",
"host.ip"
]
}
}
}
}
|
|
The index templates above are in draft. When reviewed and approved. I'll create the tooling to generate these index templates automatically. See https://github.com/wazuh/wazuh-indexer/blob/4.9.0/ecs |
This comment was marked as outdated.
This comment was marked as outdated.
|
| Field | ECS field | Type | Description |
|---|---|---|---|
agent.id |
keyword | Agent's ID | |
*agent.groups |
keyword | Agent's groups | |
| arch | * ? | keyword | Is arch a file property? |
| attributes | file.attributes |
keyword | Array of file attributes. |
| file | file.name |
keyword | Name of the file including the extension, without the directory. |
| full_path | file.path |
keyword | Full path to the file, including the file name. |
| gid | file.gid |
keyword | Primary group ID (GID) of the file. |
| gname | file.group |
keyword | Primary group name of the file. |
| inode | file.inode |
keyword | Inode representing the file in the filesystem. |
| md5 | file.hash.md5 |
keyword | MD5 hash of the file. |
| mtime | file.mtime |
date | Last time the file's metadata changed. |
| perm | file.mode |
keyword | File permissions in octal mode. |
| sha1 | file.hash.sha1 |
keyword | SHA1 hash of the file. |
| sha256 | file.hash.sha256 |
keyword | SHA256 hash of the file. |
| size | file.size |
long | File size in bytes. |
| symbolic_path | file.target_path |
keyword | Target path for symlinks. |
| type | file.type |
keyword | File type (file, dir, or symlink). |
| uid | file.uid |
keyword | User ID (UID) of the file owner. |
| uname | file.owner |
keyword | File owner’s username. |
| value_name | registry.key |
keyword | Hive-relative path of keys. |
| value_type | registry.value |
keyword | Name of the value written. |
* Custom field
ECS mapping
---
name: fim
fields:
agent:
fields:
id: {}
groups: {}
file:
fields:
attributes: {}
name: {}
path: {}
gid: {}
group: {}
inode: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
mtime: {}
mode: {}
size: {}
target_path: {}
type: {}
uid: {}
owner: {}
registry:
fields:
key: {}
value: {}Index settings
{
"index_patterns": ["wazuh-states-fim*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"file.name",
"file.path",
"file.target_path",
"file.group",
"file.uid",
"file.gid"
]
}
}
}
}
|
| ECS field | Type | Description |
|---|---|---|
agent.id |
keyword | Unique identifier of this agent (if one exists). |
*agent.groups |
keyword | Agent's groups |
agent.name |
keyword | Custom name of the agent. |
agent.type |
keyword | Type of the agent. |
agent.version |
keyword | Version of the agent. |
host.os.full |
keyword | Operating system name, including the version or code name. |
host.os.kernel |
keyword | Operating system kernel version as a raw string. |
host.os.name |
keyword | Operating system name, without the version. |
host.os.platform |
keyword | Operating system platform (such centos, ubuntu, windows). |
host.os.type |
keyword | Use the os.type field to categorize the operating system into one of the broad commercial families. |
host.os.version |
keyword | Operating system version as a raw string. |
package.architecture |
keyword | Package architecture. |
package.build_version |
keyword | Additional information about the build version of the installed package. |
package.checksum |
keyword | Checksum of the installed package for verification. |
package.description |
keyword | Description of the package. |
package.install_scope |
keyword | Indicating how the package was installed, e.g. user-local, global. |
package.installed |
date | Time when package was installed. |
package.license |
keyword | License under which the package was released. |
package.name |
keyword | Package name |
package.path |
keyword | Path where the package is installed. |
package.reference |
keyword | Home page or reference URL of the software in this package, if available. |
package.size |
long | Package size in bytes. |
package.type |
keyword | Type of package. |
package.version |
keyword | Package version |
vulnerability.category |
keyword | The type of system or architecture that the vulnerability affects |
vulnerability.classification |
keyword | The classification of the vulnerability scoring system. |
vulnerability.description |
keyword | The description of the vulnerability that provides additional context of the vulnerability |
*vulnerability.detected_at |
date | Vulnerability's detection date. |
vulnerability.enumeration |
keyword | The type of identifier used for this vulnerability. |
vulnerability.id |
keyword | The identification (ID) is the number portion of a vulnerability entry. |
*vulnerability.published_at |
date | Vulnerability's publication date. |
vulnerability.reference |
keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. |
vulnerability.report_id |
keyword | The report or scan identification number. |
*vulnerability.scanner.source |
keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). |
vulnerability.scanner.vendor |
keyword | The name of the vulnerability scanner vendor. |
vulnerability.score.base |
float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. |
vulnerability.score.environmental |
float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. |
vulnerability.score.temporal |
float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. |
vulnerability.score.version |
keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. |
vulnerability.severity |
keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. |
*vulnerability.under_evaluation |
boolean | Indicates if the vulnerability is awaiting analysis by the NVD. |
*wazuh.cluster.name |
keyword | Name of the Wazuh cluster. |
*wazuh.cluster.node |
keyword | Name of the Wazuh cluster node. |
*wazuh.schema.version |
keyword | Version of the Wazuh schema. |
* Custom field
ECS mapping
---
name: wazuh-states-inventory-vulnerability
fields:
base:
tags: []
agent:
fields: "*"
package:
fields: "*"
host:
fields:
os:
fields:
full: ""
kernel: ""
name: ""
platform: ""
type: ""
version: ""
vulnerability:
fields: "*"
wazuh:
fields: "*"---
- name: vulnerability
title: Vulnerability
group: 2
short: Fields to describe the vulnerability relevant to an event.
description: >
The vulnerability fields describe information about a vulnerability that is
relevant to an event.
type: group
fields:
- name: detected_at
type: date
level: custom
description: >
Vulnerability's detection date.
- name: published_at
type: date
level: custom
description: >
Vulnerability's publication date.
- name: under_evaluation
type: boolean
level: custom
description: >
Indicates if the vulnerability is awaiting analysis by the NVD.
- name: scanner.source
type: keyword
level: custom
description: >
The origin of the decision of the scanner (AKA feed used to detect the vulnerability).---
---
- name: wazuh
title: Wazuh
description: >
Wazuh Inc. custom fields
fields:
- name: cluster.name
type: keyword
level: custom
description: >
Wazuh cluster name.
- name: cluster.node
type: keyword
level: custom
description: >
Wazuh cluster node name.
- name: schema.version
type: keyword
level: custom
description: >
Wazuh schema version.Index settings
{
"index_patterns": ["wazuh-states-vulnerabilities*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.group",
"host.os.full",
"host.os.version",
"package.name",
"package.version",
"vulnerability.id",
"vulnerability.description",
"vulnerability.severity",
"wazuh.cluster.name"
]
}
}
}
}
This comment was marked as outdated.
This comment was marked as outdated.
|
Index templates for |
|
Index template for |
This was referenced Jul 9, 2024
This was referenced Aug 7, 2024
5 tasks
4 tasks
|
| Field name | ECS field name | Data type | Description |
|---|---|---|---|
agent.id |
keyword | Agent's ID | |
*agent.groups |
keyword | Agent's groups | |
| scan_time | @timestamp |
date | Date/time when the event originated. |
| architecture | host.architecture |
keyword | Operating system architecture. |
| hostname | host.hostname |
keyword | Hostname of the host. |
| os_build | host.os.kernel |
keyword | Operating system kernel version as a raw string. |
| os_codename | host.os.full |
keyword | Operating system name, including the version or code name. |
| os_name | host.os.name |
keyword | Operating system name, without the version. |
| os_platform | host.os.platform |
keyword | Operating system platform (such centos, ubuntu, windows). |
| os_version | host.os.version |
keyword | Operating system version as a raw string. |
| sysname | host.os.type |
keyword | [linux, macos, unix, windows, ios, android] |
* Custom field
Details
Removed fields:
- os_display_version
- os_major (can be extracted from os_version)
- os_minor (can be extracted from os_version)
- os_patch (can be extracted from os_version)
- os_release
- reference
- release
- scan_id
- sysname
- version
- checksum
Available fields:
os.familyhots.name
ECS mapping
---
name: wazuh-states-inventory-system
fields:
base:
fields:
"@timestamp": {}
agent:
fields:
id: {}
groups: {}
host:
fields:
architecture: {}
hostname: {}
name: {}
os:
fields:
kernel: {}
full: {}
platform: {}
version: {}
type: {}Index settings
{
"index_patterns": ["wazuh-states-inventory-system*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"host.name",
"host.os.type",
"host.os.version"
]
}
}
}
}
|
| Field name | ECS field name | Data type | Description |
|---|---|---|---|
agent.id |
keyword | Agent's ID | |
*agent.groups |
keyword | Agent's groups | |
| scan_time | @timestamp |
date | Timestamp of the scan |
| architecture | package.architecture |
keyword | Package architecture. |
| description | package.description |
keyword | Description of the package. |
| install_time | package.installed |
date | Time when package was installed. |
| name | package.name |
keyword | Package name. |
| location | package.path |
keyword | Path where the package is installed. |
| size | package.size |
long | Package size in bytes. |
| format | package.type |
keyword | Type of package. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. |
| version | package.version |
keyword | Package version. |
* Custom field
Fields not included in ECS
| Field name | ECS field name | Data type | Description | |
|---|---|---|---|---|
| ? | priority | Priority of the program | ||
| ? | section | Section of the program category the package belongs to in DEB package managers | ||
| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. |
| ? | multiarch | Multi-architecture compatibility | ||
| X | source | Source of the program - package manager |
ECS mapping
---
name: wazuh-states-inventory-packages
fields:
base:
fields:
"@timestamp": {}
agent:
fields:
id: {}
groups: {}
package:
fields:
architecture: ""
description: ""
installed: {}
name: ""
path: ""
size: {}
type: ""
version: ""Index settings
{
"index_patterns": ["wazuh-states-inventory-packages*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"package.architecture"
"package.name",
"package.version",
"package.type"
]
}
}
}
}
|
| Field name | ECS field name | Data type | Description | Comments | |
|---|---|---|---|---|---|
agent.id |
keyword | Agent's ID | |||
*agent.groups |
keyword | Agent's groups | |||
| scan_time | @timestamp |
date | Date/time when the event originated. | ||
| pid | process.pid |
long | Process ID. | ||
| name | process.name |
keyword | Process name. | ||
| ppid | process.parent.pid |
long | Parent process ID. | ||
| cmd | process.command_line |
wildcard | Full command line that started the process, including the absolute path to the executable, and all arguments. | ||
| argvs | process.args |
keyword | Array of process arguments, starting with the absolute path to the executable. | ||
| euser | process.user.id |
keyword | Unique identifier of the effective user. | ||
| ruser | process.real_user.id |
keyword | Unique identifier of the real user. | ||
| suser | process.saved_user.id |
keyword | Unique identifier of the saved user. | ||
| egroup | process.group.id |
keyword | Unique identifier for the effective group on the system/platform. | ||
| rgroup | process.real_group.id |
keyword | Unique identifier for the real group on the system/platform. | ||
| sgroup | process.saved_group.id |
keyword | Unique identifier for the saved group on the system/platform. | ||
| start_time | process.start |
date | The time the process started. | ||
| ! | tgid | process.thread.id |
No ECS mapping | Thread ID | thread.group is not part of ECS; but thread.id is. |
| ! | tty | process.tty |
object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification |
* Custom field
!: Fields awaiting analysis
Fields not included in ECS
| Field name | ECS field name | Data type | Description | Comments | |
|---|---|---|---|---|---|
| x | state | process.state |
No ECS mapping | State of the process | Not part of ECS; Maybe as a custom field. |
| x | utime | process.cpu.user |
No ECS mapping | User mode CPU time | Not part of ECS; Maybe as a custom field. |
| x | stime | process.cpu.system |
No ECS mapping | Kernel mode CPU time | Not part of ECS; Maybe as a custom field. |
| x? | fgroup | process.group.file.id |
No ECS mapping | unknown | |
| x | priority | process.priority |
No ECS mapping | Process priority | Not part of ECS; Maybe as a custom field. |
| x | nice | process.nice |
No ECS mapping | Nice value | Not part of ECS; Maybe as a custom field. |
| x | size | process.size |
No ECS mapping | Process size | Not part of ECS; Maybe as a custom field. |
| x | vm_size | process.vm.size |
No ECS mapping | Virtual memory size | Not part of ECS; Maybe as a custom field. |
| x | resident | process.memory.resident |
No ECS mapping | Resident set size | Not part of ECS; Maybe as a custom field. |
| x | share | process.memory.share |
No ECS mapping | Shared memory size | Not part of ECS; Maybe as a custom field. |
| ! | pgrp | process.group.id |
keyword | Process group | Isn't it duplicated ?? |
| x | session | process.session |
No ECS mapping | Session ID | Not part of ECS; Needs clarification. |
| x | nlwp | process.nlwp |
No ECS mapping | Number of light-weight processes | Not part of ECS; Needs clarification. |
| ! | tgid | process.thread.id |
No ECS mapping | Thread ID ID | thread.group is not part of ECS; but thread.id is. |
| ! | tty | process.tty |
object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | Needs clarification |
| x | processor | host.cpu.processor |
No ECS mapping | Processor number | No ECS field refers to the core number of the CPU. |
ECS mapping
---
name: wazuh-states-inventory-processes
fields:
base:
fields:
"@timestamp": {}
agent:
fields:
id: {}
groups: {}
process:
fields:
pid: {}
name: ""
parent:
fields:
pid: {}
command_line: ""
args: ""
user:
fields:
id: ""
real_user:
fields:
id: ""
saved_user:
fields:
id: ""
group:
fields:
id: ""
real_group:
fields:
id: ""
saved_group:
fields:
id: ""
start: {}
thread:
fields:
id: ""
tty: {}Index settings
{
"index_patterns": ["wazuh-states-inventory-processes*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"process.name",
"process.pid",
"process.command_line"
]
}
}
}
}
This was referenced Sep 11, 2024
This was referenced Sep 11, 2024
|
Hello. Please add agent.labels in Vulnerability Module the same way like in "Threat Hunting" module. Labels are awesome and can easy filter data based on personal entries in agent configuration. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
As part of the Data Persistence Model Redesign, new indices will appear in the Wazuh Indexer. We want these indices to be created automatically after Wazuh Indexer boots up. For that, we'll build a plugin.
As owners of the Wazuh Indexer, we will define the indices settings and fields. These need to be ECS compliant.
Tasks
agentsindex.statefulindices.commandsindex.wazuh-alerts(stateless) index.Implementation restrictions
agent.groupsmust be present on all indices but thecommandsindex.inventory-system(host's info)inventory-processesinventory-networksinventory-packagesagentsindex contains basic information about the host (IP, OS info)The text was updated successfully, but these errors were encountered: