-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create ECS compliant index templates #270
Comments
|
Field | ECS field | Type | Description |
---|---|---|---|
uuid | agent.id |
keyword | Agent's ID |
name | agent.name |
keyword | Agent's name |
groups | *agent.groups |
keyword | Agent's groups |
internal_key | *agent.key |
keyword | Agent's registration key |
type | agent.type |
keyword | Type of agent |
version | agent.version |
keyword | Agent's version |
connection_status | *agent.is_connected |
boolean | Agents' interpreted connection status depending on agent.last_login |
last_keepalive | *agent.last_login |
date | Agent's last login |
ip | host.ip |
ip | Host IP addresses. Note: this field should contain an array of values. |
os_* | host.os.full |
keyword | Operating system name, including the version or code name. |
* Custom field
ECS mapping
---
name: agent
fields:
base:
fields:
tags: []
agent:
fields:
id: {}
name: {}
type: {}
version: {}
groups: {}
key: {}
last_login: {}
is_connected: {}
host:
fields:
ip: {}
os:
fields:
full: {}
---
---
- name: agent
title: Wazuh Agents
short: Wazuh Inc. custom fields.
type: group
group: 2
fields:
- name: groups
type: keyword
level: custom
description: >
The groups the agent belongs to.
- name: key
type: keyword
level: custom
description: >
The agent's registration key.
- name: last_login
type: date
level: custom
description: >
The agent's last login.
- name: is_connected
type: boolean
level: custom
description: >
Agents' interpreted connection status depending on `agent.last_login`.
Index settings
{
"index_patterns": [".agents*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"agent.name",
"agent.type",
"agent.version",
"agent.name",
"host.os.full",
"host.ip"
]
}
}
}
}
|
The index templates above are in draft. When reviewed and approved. I'll create the tooling to generate these index templates automatically. See https://github.com/wazuh/wazuh-indexer/blob/4.9.0/ecs |
This comment was marked as outdated.
This comment was marked as outdated.
|
Field | ECS field | Type | Description |
---|---|---|---|
agent.id |
keyword | Agent's ID | |
*agent.groups |
keyword | Agent's groups | |
arch | * ? | keyword | Is arch a file property? |
attributes | file.attributes |
keyword | Array of file attributes. |
file | file.name |
keyword | Name of the file including the extension, without the directory. |
full_path | file.path |
keyword | Full path to the file, including the file name. |
gid | file.gid |
keyword | Primary group ID (GID) of the file. |
gname | file.group |
keyword | Primary group name of the file. |
inode | file.inode |
keyword | Inode representing the file in the filesystem. |
md5 | file.hash.md5 |
keyword | MD5 hash of the file. |
mtime | file.mtime |
date | Last time the file's metadata changed. |
perm | file.mode |
keyword | File permissions in octal mode. |
sha1 | file.hash.sha1 |
keyword | SHA1 hash of the file. |
sha256 | file.hash.sha256 |
keyword | SHA256 hash of the file. |
size | file.size |
long | File size in bytes. |
symbolic_path | file.target_path |
keyword | Target path for symlinks. |
type | file.type |
keyword | File type (file, dir, or symlink). |
uid | file.uid |
keyword | User ID (UID) of the file owner. |
uname | file.owner |
keyword | File owner’s username. |
value_name | registry.key |
keyword | Hive-relative path of keys. |
value_type | registry.value |
keyword | Name of the value written. |
* Custom field
ECS mapping
---
name: fim
fields:
agent:
fields:
id: {}
groups: {}
file:
fields:
attributes: {}
name: {}
path: {}
gid: {}
group: {}
inode: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
mtime: {}
mode: {}
size: {}
target_path: {}
type: {}
uid: {}
owner: {}
registry:
fields:
key: {}
value: {}
Index settings
{
"index_patterns": ["wazuh-states-fim*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"file.name",
"file.path",
"file.target_path",
"file.group",
"file.uid",
"file.gid"
]
}
}
}
}
|
ECS field | Type | Description |
---|---|---|
agent.id |
keyword | Unique identifier of this agent (if one exists). |
*agent.groups |
keyword | Agent's groups |
agent.name |
keyword | Custom name of the agent. |
agent.type |
keyword | Type of the agent. |
agent.version |
keyword | Version of the agent. |
host.os.full |
keyword | Operating system name, including the version or code name. |
host.os.kernel |
keyword | Operating system kernel version as a raw string. |
host.os.name |
keyword | Operating system name, without the version. |
host.os.platform |
keyword | Operating system platform (such centos, ubuntu, windows). |
host.os.type |
keyword | Use the os.type field to categorize the operating system into one of the broad commercial families. |
host.os.version |
keyword | Operating system version as a raw string. |
package.architecture |
keyword | Package architecture. |
package.build_version |
keyword | Additional information about the build version of the installed package. |
package.checksum |
keyword | Checksum of the installed package for verification. |
package.description |
keyword | Description of the package. |
package.install_scope |
keyword | Indicating how the package was installed, e.g. user-local, global. |
package.installed |
date | Time when package was installed. |
package.license |
keyword | License under which the package was released. |
package.name |
keyword | Package name |
package.path |
keyword | Path where the package is installed. |
package.reference |
keyword | Home page or reference URL of the software in this package, if available. |
package.size |
long | Package size in bytes. |
package.type |
keyword | Type of package. |
package.version |
keyword | Package version |
vulnerability.category |
keyword | The type of system or architecture that the vulnerability affects |
vulnerability.classification |
keyword | The classification of the vulnerability scoring system. |
vulnerability.description |
keyword | The description of the vulnerability that provides additional context of the vulnerability |
*vulnerability.detected_at |
date | Vulnerability's detection date. |
vulnerability.enumeration |
keyword | The type of identifier used for this vulnerability. |
vulnerability.id |
keyword | The identification (ID) is the number portion of a vulnerability entry. |
*vulnerability.published_at |
date | Vulnerability's publication date. |
vulnerability.reference |
keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. |
vulnerability.report_id |
keyword | The report or scan identification number. |
*vulnerability.scanner.source |
keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). |
vulnerability.scanner.vendor |
keyword | The name of the vulnerability scanner vendor. |
vulnerability.score.base |
float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. |
vulnerability.score.environmental |
float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. |
vulnerability.score.temporal |
float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. |
vulnerability.score.version |
keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. |
vulnerability.severity |
keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. |
*vulnerability.under_evaluation |
boolean | Indicates if the vulnerability is awaiting analysis by the NVD. |
*wazuh.cluster.name |
keyword | Name of the Wazuh cluster. |
*wazuh.cluster.node |
keyword | Name of the Wazuh cluster node. |
*wazuh.schema.version |
keyword | Version of the Wazuh schema. |
* Custom field
ECS mapping
---
name: wazuh-states-vulnerabilities
fields:
base:
tags: []
agent:
fields: "*"
package:
fields: "*"
host:
fields:
os:
fields:
full: ""
kernel: ""
name: ""
platform: ""
type: ""
version: ""
vulnerability:
fields: "*"
wazuh:
fields: "*"
---
- name: vulnerability
title: Vulnerability
group: 2
short: Fields to describe the vulnerability relevant to an event.
description: >
The vulnerability fields describe information about a vulnerability that is
relevant to an event.
type: group
fields:
- name: detected_at
type: date
level: custom
description: >
Vulnerability's detection date.
- name: published_at
type: date
level: custom
description: >
Vulnerability's publication date.
- name: under_evaluation
type: boolean
level: custom
description: >
Indicates if the vulnerability is awaiting analysis by the NVD.
- name: scanner.source
type: keyword
level: custom
description: >
The origin of the decision of the scanner (AKA feed used to detect the vulnerability).
---
---
- name: wazuh
title: Wazuh
description: >
Wazuh Inc. custom fields
fields:
- name: cluster.name
type: keyword
level: custom
description: >
Wazuh cluster name.
- name: cluster.node
type: keyword
level: custom
description: >
Wazuh cluster node name.
- name: schema.version
type: keyword
level: custom
description: >
Wazuh schema version.
Index settings
{
"index_patterns": ["wazuh-states-vulnerabilities*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.group",
"host.os.full",
"host.os.version",
"package.name",
"package.version",
"vulnerability.id",
"vulnerability.description",
"vulnerability.severity",
"wazuh.cluster.name"
]
}
}
}
}
This comment was marked as outdated.
This comment was marked as outdated.
Index templates for |
Index template for |
Hello. Please add agent.labels in Vulnerability Module the same way like in "Threat Hunting" module. Labels are awesome and can easy filter data based on personal entries in agent configuration. |
|
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
adapter | observer.ingress.interface.alias | keyword | Adapter name of the network interface | |
address | host.ip | ip | Network address | |
iface | observer.ingress.interface.name | keyword | Name of the network interface | |
inode | file.inode | keyword | The unix inode of the port | |
item_id | device.id | keyword | Identifier of interface/protocol/address/port item | |
local_ip | source.ip | ip | Local IP address | |
local_port | source.port | long | Local port number | |
mac | host.mac | keyword | MAC address of the network interface | |
name | observer.ingress.interface.name | keyword | Name of the network interface | |
pid | process.pid | long | Process ID | |
process | process.name | keyword | Process name | |
proto | network.protocol | keyword | Type of network protocol | |
protocol | network.protocol | keyword | Protocol used | |
protocol | network.protocol | keyword | Protocol used | |
remote_ip | destination.ip | ip | Remote IP address | |
remote_port | destination.port | long | Remote port number | |
rx_bytes | host.network.ingress.bytes | long | Number of received bytes | |
rx_packets | host.network.ingress.packets | long | Number of received packets | |
scan_id | event.id | keyword | Reference to the scan information | |
scan_time | @timestamp | date | Timestamp of the scan | |
tx_bytes | host.network.egress.bytes | long | Number of transmitted bytes | |
tx_packets | host.network.egress.packets | long | Number of transmitted packets | |
type | network.type | keyword | IPv4 or IPv6 for protocols, interface type for interface records | |
* | broadcast | network.broadcast | ip | Broadcast address |
* | dhcp | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) |
* | gateway | network.gateway | ip | Gateway address |
* | metric | network.metric | long | Metric of the network protocol |
* | mtu | interface.mtu | long | Maximum transmission unit size |
* | netmask | network.netmask | ip | Network mask |
* | rx_dropped | host.network.ingress.drops | long | Number of dropped received packets |
* | rx_errors | host.network.ingress.errors | long | Number of reception errors |
* | rx_queue | host.network.ingress.queue | long | Receive queue length |
* | state | interface.state | keyword | State of the network interface |
* | tx_dropped | host.network.egress.drops | long | Number of dropped transmitted packets |
* | tx_errors | host.network.egress.errors | long | Number of transmission errors |
* | tx_queue | host.network.egress.queue | long | Transmit queue length |
* | type | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") |
* Custom fields
ECS mapping
---
name: wazuh-states-inventory-networks
fields:
base:
fields:
tags: []
"@timestamp": {}
agent:
fields:
id: {}
groups: {}
destination:
fields:
ip: {}
port: {}
device:
fields:
id: {}
file:
fields:
inode: {}
host:
fields:
ip: {}
mac: {}
network:
fields:
egress:
fields:
bytes: {}
packets: {}
ingress:
fields:
bytes: {}
packets: {}
network:
fields:
protocol: {}
type: {}
observer:
fields:
ingress:
fields:
interface:
fields:
alias: {}
name: {}
process:
fields:
name: {}
pid: {}
source:
fields:
ip: {}
port: {}
Index settings
{
"index_patterns": [
"wazuh-states-inventory-networks*"
],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"agent.id",
"agent.groups",
"device.id",
"event.id",
"host.ip",
"observer.ingress.interface.name",
"observer.ingress.interface.alias",
"process.name"
],
"refresh_interval": "5s"
}
},
"mappings": {
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"groups": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"destination": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"device": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"file": {
"properties": {
"inode": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"properties": {
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"network": {
"properties": {
"egress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
},
"ingress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
}
}
}
}
},
"network": {
"properties": {
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"observer": {
"properties": {
"ingress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
},
"process": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
}
}
},
"source": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
}
}
}
}
}
|
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
scan_time | @timestamp | date | Timestamp of the scan | |
board_serial | observer.serial_number | keyword | Serial number of the motherboard | |
* | cpu_name | host.cpu.name | keyword | Name of the CPU |
* | cpu_cores | host.cpu.cores | long | Number of CPU cores |
* | cpu_mhz | host.cpu.speed | long | Speed of the CPU in MHz |
* | ram_total | host.memory.total | long | Total RAM in the system |
* | ram_free | host.memory.free | long | Free RAM in the system |
* | ram_usage | host.memory.used.percentage | long | RAM usage as a percentage |
* Custom fields
ECS mapping
---
name: wazuh-states-inventory-hardware
fields:
base:
fields:
tags: []
"@timestamp": {}
agent:
fields:
id: {}
groups: {}
observer:
fields:
serial_number: {}
host:
fields:
memory:
fields:
total: {}
free: {}
used:
fields:
percentage: {}
cpu:
fields:
name: {}
cores: {}
speed: {}
Index settings
{
"index_patterns": [
"wazuh-states-inventory-hardware*"
],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"observer.board_serial"
],
"refresh_interval": "5s"
}
},
"mappings": {
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"groups": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"properties": {
"cpu": {
"properties": {
"cores": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"speed": {
"type": "long"
}
},
"type": "object"
},
"memory": {
"properties": {
"free": {
"type": "long"
},
"total": {
"type": "long"
},
"used": {
"properties": {
"percentage": {
"type": "long"
}
},
"type": "object"
}
},
"type": "object"
}
}
},
"observer": {
"properties": {
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
|
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
scan_time | @timestamp | date | Timestamp of the scan | |
* | hotfix | package.hotfix.name | keyword | Name of the hotfix |
* Custom fields
ECS mapping
---
name: wazuh-states-inventory-hotfixes
fields:
base:
fields:
tags: []
"@timestamp": {}
agent:
fields:
id: {}
groups: {}
package:
fields:
hotfix:
fields:
name: {}
Index settings
{
"index_patterns": [
"wazuh-states-inventory-hotfixes*"
],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"package.hotfix.name"
],
"refresh_interval": "5s"
}
},
"mappings": {
"date_detection": false,
"dynamic": "strict",
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"groups": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"package": {
"properties": {
"hotfix": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
}
}
}
}
}
}
}
|
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
inode | file.inode | keyword | The unix inode of the port | |
item_id | device.id | keyword | Identifier of interface/protocol/address/port item | |
local_ip | source.ip | ip | Local IP address | |
local_port | source.port | long | Local port number | |
pid | process.pid | long | Process ID | |
process | process.name | keyword | Process name | |
protocol | network.protocol | keyword | Protocol used | |
remote_ip | destination.ip | ip | Remote IP address | |
remote_port | destination.port | long | Remote port number | |
scan_time | @timestamp | date | Timestamp of the scan | |
* | rx_queue | host.network.ingress.queue | long | Receive queue length |
* | state | interface.state | keyword | State of the network interface |
* | tx_queue | host.network.egress.queue | long | Transmit queue length |
* Custom fields
ECS mapping
---
name: wazuh-states-inventory-ports
fields:
base:
fields:
tags: []
"@timestamp": {}
agent:
fields:
id: {}
groups: {}
destination:
fields:
ip: {}
port: {}
device:
fields:
id: {}
file:
fields:
inode: {}
host:
fields:
network:
fields:
egress:
fields:
queue: {}
ingress:
fields:
queue: {}
network:
fields:
protocol: {}
process:
fields:
name: {}
pid: {}
source:
fields:
ip: {}
port: {}
interface:
fields:
state: {}
Index settings
{
"index_patterns": [
"wazuh-states-inventory-ports*"
],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"process.name",
"source.ip",
"destination.ip"
]
}
}
}
}
Description
As part of the Data Persistence Model Redesign, new indices will appear in the Wazuh Indexer. We want these indices to be created automatically after Wazuh Indexer boots up. For that, we'll build a plugin.
As owners of the Wazuh Indexer, we will define the indices settings and fields. These need to be ECS compliant.
Tasks
agents
index.stateful
indices.commands
index.wazuh-alerts
(stateless) index.Implementation restrictions
agent.groups
must be present on all indices but thecommands
index.agents
index contains basic information about the host (IP, OS info) (see Enrich index templates with agents' information #525)The text was updated successfully, but these errors were encountered: