From c7670f96b41cf5db8c4b4b36a6f89e82437ec972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 26 Mar 2024 13:25:03 +0100 Subject: [PATCH] Update wazuh-states-vulnerabilities index mapping (#191) * Update wazuh-states-vulnerabilities index mapping * Extend ECS Vulnerability fields --- ecs/generate.sh | 2 +- .../event-generator/event_generator.py | 8 +++++--- .../fields/custom/vulnerability.yml | 19 +++++++++++++++++++ .../fields/custom/wazuh.yml | 2 +- ecs/vulnerability-detector/fields/subset.yml | 1 - 5 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 ecs/vulnerability-detector/fields/custom/vulnerability.yml diff --git a/ecs/generate.sh b/ecs/generate.sh index c819c72a8ca76..4b747c0c9a0cb 100755 --- a/ecs/generate.sh +++ b/ecs/generate.sh @@ -23,7 +23,7 @@ generate_mappings() { # Generate mappings python scripts/generator.py --strict --ref "$ECS_VERSION" \ - --include "$IN_FILES_DIR/custom/wazuh.yml" \ + --include "$IN_FILES_DIR/custom/" \ --subset "$IN_FILES_DIR/subset.yml" \ --template-settings "$IN_FILES_DIR/template-settings.json" \ --template-settings-legacy "$IN_FILES_DIR/template-settings-legacy.json" \ diff --git a/ecs/vulnerability-detector/event-generator/event_generator.py b/ecs/vulnerability-detector/event-generator/event_generator.py index 0ed75ec9600a1..73f8e8be71205 100755 --- a/ecs/vulnerability-detector/event-generator/event_generator.py +++ b/ecs/vulnerability-detector/event-generator/event_generator.py @@ -163,7 +163,9 @@ def generate_random_vulnerability(): 'temporal': round(random.uniform(0, 10), 1), 'version': round(random.uniform(0, 10), 1) }, - 'severity': random.choice(['Low', 'Medium', 'High', 'Critical']) + 'severity': random.choice(['Low', 'Medium', 'High', 'Critical']), + 'detected_at': generate_random_date(), + 'published_at': generate_random_date(), } return vulnerability @@ -179,7 +181,7 @@ def generate_random_wazuh(): }, 'schema': { 'version': '1.7.0' - } + }, } return wazuh @@ -188,7 +190,7 @@ def generate_random_data(number): data = [] for _ in range(number): event_data = { - '@timestamp': generate_random_date(), + # '@timestamp': generate_random_date(), 'agent': generate_random_agent(), # 'ecs': {'version': '1.7.0'}, # 'event': generate_random_event(), diff --git a/ecs/vulnerability-detector/fields/custom/vulnerability.yml b/ecs/vulnerability-detector/fields/custom/vulnerability.yml new file mode 100644 index 0000000000000..51be3282cc161 --- /dev/null +++ b/ecs/vulnerability-detector/fields/custom/vulnerability.yml @@ -0,0 +1,19 @@ +- name: vulnerability + title: Vulnerability + group: 2 + short: Fields to describe the vulnerability relevant to an event. + description: > + The vulnerability fields describe information about a vulnerability that is + relevant to an event. + type: group + fields: + - name: detected_at + type: date + level: custom + description: > + Vulnerability's detection date. + - name: published_at + type: date + level: custom + description: > + Vulnerability's publication date. \ No newline at end of file diff --git a/ecs/vulnerability-detector/fields/custom/wazuh.yml b/ecs/vulnerability-detector/fields/custom/wazuh.yml index f7bcf4f897c07..235a746758812 100644 --- a/ecs/vulnerability-detector/fields/custom/wazuh.yml +++ b/ecs/vulnerability-detector/fields/custom/wazuh.yml @@ -23,4 +23,4 @@ type: keyword level: custom description: > - Wazuh schema version. \ No newline at end of file + Wazuh schema version. diff --git a/ecs/vulnerability-detector/fields/subset.yml b/ecs/vulnerability-detector/fields/subset.yml index f5b0d60757794..951f7e492d1c2 100644 --- a/ecs/vulnerability-detector/fields/subset.yml +++ b/ecs/vulnerability-detector/fields/subset.yml @@ -3,7 +3,6 @@ name: vulnerability_detector fields: base: fields: - "@timestamp": {} tags: [] message: "" agent: