Closed vikman90 closed 2 months ago
Based on file: schema_agents.sql
Field name | ECS name | Data type | Description | |
---|---|---|---|---|
full_path | file.path | KEYWORD | Full path of the item | |
file | file.name | KEYWORD | File name | |
type | file.type | KEYWORD | Type of file | |
date | @timestamp | DATE | Entry timestamp | |
❌ | changes | KEYWORD | Type of change | |
arch | host.architecture ❓ | KEYWORD | System architecture | |
value_name | registry.value | KEYWORD | Registry value name | |
value_type | registry.data.type | KEYWORD | Registry value type | |
size | file.size | LONG | File size in bytes | |
perm | file.mode ❗ | KEYWORD | File permissions | |
uid | file.uid | LONG | User ID of file owner | |
gid | file.gid | LONG | Group ID of file owner | |
md5 | file.hash.md5 | KEYWORD | MD5 hash | |
sha1 | file.hash.sha1 | KEYWORD | SHA1 hash | |
uname | file.owner | KEYWORD | User name | |
gname | file.group | KEYWORD | Group name | |
mtime | file.mtime | DATE | Last modification time | |
inode | file.inode | LONG | Inode number | |
sha256 | file.hash.sha256 | KEYWORD | SHA256 hash | |
attributes | file.attributes | KEYWORD | File attributes | |
symbolic_path | file.target_path | KEYWORD | Symbolic link path | |
❌ | checksum | KEYWORD | File checksum |
❗Requires some changes in the agent's FIM module.
Based on file: schema_agents.sql
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | sca_scan_info.id |
INTEGER | Reference to the scan information |
id | INTEGER | Primary key for the check | ||
policy_id | sca_policy.id |
KEYWORD | Reference to the policy | |
title | rule.name ❓ | TEXT | Title of the check | |
description | rule.description | TEXT | Description of the check | |
rationale | TEXT | Rationale behind the check | ||
remediation | TEXT | Steps for remediation | ||
file | file.path | KEYWORD | File related to the check | |
process | process.name | KEYWORD | Process related to the check | |
directory | file.directory | KEYWORD | Directory related to the check | |
registry | registry.path | KEYWORD | Registry related to the check | |
command | process.command_line | TEXT | Command related to the check | |
references | rule.reference | TEXT | References for the check | |
result | event.outcome | KEYWORD | Result of the check | |
reason | TEXT | Reason for the result | ||
condition | TEXT | Condition that triggers the check |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | id | INTEGER | Primary key for the scan information | |
❌ | start_scan | event.start | DATE | Timestamp when the scan started |
❌ | end_scan | event.end | DATE | Timestamp when the scan ended |
❌ | policy_id | sca_policy.id |
KEYWORD | Reference to the policy |
❌ | pass | INTEGER | Number of passed checks | |
❌ | fail | INTEGER | Number of failed checks | |
❌ | invalid | INTEGER | Number of invalid checks | |
❌ | total_checks | INTEGER | Total number of checks performed | |
❌ | score | INTEGER | Score of the scan | |
❌ | hash | file.hash.md5 | KEYWORD | Hash of the scan information |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | name | TEXT | Name of the policy | |
❌ | file | file.path | KEYWORD | File associated with the policy |
❌ | id | KEYWORD | Unique identifier for the policy | |
❌ | description | TEXT | Description of the policy | |
❌ | references | rule.reference | TEXT | References for the policy |
❌ | hash_file | file.hash.md5 | KEYWORD | Hash of the policy file |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | id_check | sca_check.id |
INTEGER | Reference to the check ID |
❌ | type | KEYWORD | Type of the rule | |
❌ | rule | TEXT | Rule associated with the check |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | id_check | sca_check.id |
INTEGER | Reference to the check ID |
❌ | key | KEYWORD | Compliance key | |
❌ | value | KEYWORD | Value associated with the compliance key |
Based on file: schema_agents.sql
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | KEYWORD | Scan identifier | |
scan_time | @timestamp |
DATE | Tinestamp of the scan | |
hostname | host.hostname | KEYWORD | Hostname of the system | |
architecture | host.architecture | KEYWORD | System architecture | |
os_name | os.name | KEYWORD | Name of the operating system | |
os_version | os.version | KEYWORD | Version of the operating system | |
os_codename | os.codename | KEYWORD | Code name of the operating system | |
os_major | os.version_major | KEYWORD | Major version number of the operating system | |
os_minor | os.version_minor | KEYWORD | Minor version number of the operating system | |
os_patch | os.version_patch | KEYWORD | Patch version number of the operating system | |
os_build | os.build | KEYWORD | Build version of the operating system | |
os_platform | os.platform | KEYWORD | Platform of the operating system | |
sysname | TEXT ❓ | System name | ||
release | KEYWORD | System release | ||
version | KEYWORD | System version | ||
os_release | os.version | TEXT | Operating system release version | |
❌ | checksum | file.hash.md5 | KEYWORD | Checksum of the scan |
❌ | os_display_version | os.version | TEXT | Display version of the operating system |
❌ | reference | TEXT | Reference information |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | KEYWORD | Scan identifier | |
scan_time | @timestamp | DATE | Timestamp of the scan | |
name | network.name | KEYWORD | Name of the network interface | |
adapter | KEYWORD | Adapter name of the network interface | ||
type | network.type | KEYWORD | Type of the network interface | |
state | network.state | KEYWORD | State of the network interface | |
mtu | network.mtu | INTEGER | Maximum transmission unit size | |
mac | network.mac | KEYWORD | MAC address of the network interface | |
tx_packets | network.out.packets | INTEGER | Number of transmitted packets | |
rx_packets | network.in.packets | INTEGER | Number of received packets | |
tx_bytes | network.out.bytes | INTEGER | Number of transmitted bytes | |
rx_bytes | network.in.bytes | INTEGER | Number of received bytes | |
tx_errors | network.out.errors | INTEGER | Number of transmission errors | |
rx_errors | network.in.errors | INTEGER | Number of reception errors | |
tx_dropped | network.out.dropped | INTEGER | Number of dropped transmitted packets | |
rx_dropped | network.in.dropped | INTEGER | Number of dropped received packets | |
❌ | checksum | file.hash.md5 | KEYWORD | Checksum of the scan |
item_id | KEYWORD | Unique identifier for the network interface item |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | sys_netiface.scan_id |
KEYWORD | Reference to the scan information |
iface | sys_netiface.name |
KEYWORD | Name of the network interface | |
type | network.type | KEYWORD | Type of network protocol | |
gateway | network.gateway | KEYWORD | Gateway address | |
dhcp | network.dhcp | KEYWORD | DHCP status (enabled, disabled, unknown, BOOTP) | |
metric | network.metric | INTEGER | Metric of the network protocol | |
❌ | checksum | file.hash.md5 | KEYWORD | Checksum of the scan |
item_id | KEYWORD | Unique identifier for the network protocol item |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | sys_netproto.scan_id |
KEYWORD | Reference to the scan information |
iface | sys_netproto.iface |
KEYWORD | Name of the network interface | |
proto | sys_netproto.type |
KEYWORD | Type of network protocol | |
address | source.address | KEYWORD | Network address | |
netmask | network.netmask | KEYWORD | Network mask | |
broadcast | network.broadcast | KEYWORD | Broadcast address | |
❌ | checksum | file.hash.md5 | KEYWORD | Checksum of the scan |
item_id | KEYWORD | Unique identifier for the network address item |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | KEYWORD | Scan identifier | |
scan_time | @timestamp | DATE | Timestamp of the scan | |
board_serial | system.board.serial_number | KEYWORD | Serial number of the motherboard | |
cpu_name | host.cpu.name | KEYWORD | Name of the CPU | |
cpu_cores | host.cpu.cores | INTEGER | Number of CPU cores | |
cpu_mhz | host.cpu.speed | FLOAT | Speed of the CPU in MHz | |
ram_total | host.memory.total | INTEGER | Total RAM in the system | |
ram_free | host.memory.free | INTEGER | Free RAM in the system | |
ram_usage | host.memory.used.pct | INTEGER | RAM usage as a percentage | |
❌ | checksum | file.hash.md5 | KEYWORD | Checksum of the scan |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | KEYWORD | Scan identifier | |
scan_time | @timestamp | DATE | Timestamp of the scan | |
protocol | network.protocol | KEYWORD | Protocol used | |
local_ip | source.ip | KEYWORD | Local IP address | |
local_port | source.port | INTEGER | Local port number | |
remote_ip | destination.ip | KEYWORD | Remote IP address | |
remote_port | destination.port | INTEGER | Remote port number | |
tx_queue | network.out.queue | INTEGER | Transmit queue length | |
rx_queue | network.in.queue | INTEGER | Receive queue length | |
inode | system.network.inode | INTEGER | Inode number | |
state | network.transport | KEYWORD | State of the connection | |
PID | process.pid | INTEGER | Process ID | |
process | process.name | KEYWORD | Process name | |
❌ | checksum | file.hash.md5 | KEYWORD | Checksum of the scan |
item_id | KEYWORD | Unique identifier for the network port item |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | KEYWORD | Scan identifier | |
scan_time | @timestamp | DATE | Timestamp of the scan | |
format | package.format | KEYWORD | Format of the program | |
name | package.name | KEYWORD | Name of the program | |
priority | package.priority | KEYWORD | Priority of the program | |
section | package.section | KEYWORD | Section of the program | |
size | package.size | INTEGER | Size of the program | |
vendor | package.vendor | KEYWORD | Vendor of the program | |
install_time | package.install_time | DATE | Installation time of the program | |
version | package.version | KEYWORD | Version of the program | |
architecture | host.architecture | KEYWORD | Architecture of the program | |
multiarch | package.multiarch | KEYWORD | Multi-architecture compatibility | |
source | package.source | KEYWORD | Source of the program | |
description | package.description | TEXT | Description of the program | |
location | package.location | KEYWORD | Location of the program | |
cpe | KEYWORD | Common Platform Enumeration (CPE) identifier | ||
msu_name | package.msu.name | KEYWORD | Name of the Microsoft Software Update (MSU) package | |
❌ | checksum | file.hash.md5 | KEYWORD | Checksum of the scan |
item_id | KEYWORD | Unique identifier for the program item |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | KEYWORD | Scan identifier | |
scan_time | @timestamp | DATE | Timestamp of the scan | |
hotfix | update.name | KEYWORD | Name of the hotfix | |
❌ | checksum | file.hash.md5 | KEYWORD | Checksum of the scan |
Field name | ECS field name | Data type | Description | |
---|---|---|---|---|
❌ | scan_id | KEYWORD | Scan identifier | |
scan_time | @timestamp | DATE | Timestamp of the scan | |
pid | process.pid | KEYWORD | Process ID | |
name | process.name | KEYWORD | Name of the process | |
state | process.state | KEYWORD | State of the process | |
ppid | process.ppid | INTEGER | Parent process ID | |
utime | process.cpu.user | INTEGER | User mode CPU time | |
stime | process.cpu.system | INTEGER | Kernel mode CPU time | |
cmd | process.command_line | TEXT | Command executed | |
argvs | process.args | TEXT | Command line arguments | |
euser | user.effective.id | KEYWORD | Effective user ID | |
ruser | user.id | KEYWORD | Real user ID | |
suser | user.saved.id | KEYWORD | Saved user ID | |
egroup | group.effective.id | KEYWORD | Effective group ID | |
rgroup | group.id | KEYWORD | Real group ID | |
sgroup | group.saved.id | KEYWORD | Saved group ID | |
fgroup | group.file.id | KEYWORD | File group ID | |
priority | process.priority | INTEGER | Process priority | |
nice | process.nice | INTEGER | Nice value | |
size | process.size | INTEGER | Process size | |
vm_size | process.vm.size | INTEGER | Virtual memory size | |
resident | process.memory.resident | INTEGER | Resident set size | |
share | process.memory.share | INTEGER | Shared memory size | |
start_time | process.start | DATE | Process start time | |
pgrp | process.group | INTEGER | Process group ID | |
session | process.session | INTEGER | Session ID | |
nlwp | process.nlwp | INTEGER | Number of light-weight processes | |
tgid | process.tgid | INTEGER | Thread group ID | |
tty | process.tty | INTEGER | Controlling terminal | |
processor | host.cpu.processor | INTEGER | Processor number | |
❌ | checksum | file.hash.md5 | KEYWORD | Checksum of the scan |
We reopen this issue.
For the specific case of the operating system inventory, we will need:
Field | Linux | Windows | macOS |
---|---|---|---|
scan_id |
0 | 0 | 0 |
scan_time |
2024/06/28 12:06:56 | 2024/06/28 12:12:44 | 2024/06/28 12:07:39 |
hostname |
Rocket | ROCKET | Vikmans-MacBook-Pro.local |
architecture |
x86_64 | x86_64 | arm64 |
os_name |
Ubuntu | Microsoft Windows 11 Pro | macOS |
os_version |
24.04 LTS (Noble Numbat) | 10.0.22631.3737 | 14.5 |
os_codename |
noble | Sonoma | |
os_major |
24 | 10 | 14 |
os_minor |
04 | 0 | 5 |
os_build |
23F79 | ||
os_platform |
ubuntu | 22631.3737 | darwin |
sysname |
Linux | windows | Darwin |
release |
5.15.153.1-microsoft-standard-WSL2 | 2009 | 23.5.0 |
version |
#1 SMP Fri Mar 29 23:14:13 UTC 2024 | 1719576763000555500 | Darwin Kernel Version 23.5.0: Wed May 1 20:13:18 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T6030 |
checksum |
1719576416746634351 | 23H2 | 1719576458594152 |
reference |
d0241780a708ba1e2a1a54762c15b2e3c75aabc8 | c6be314466fb7ad4d7a78462fc3d05c49231fbd5 | 2419f871e6668f5f4e67c75fbb92b3ab48e830f4 |
Parent issue::
Description
As part of the ongoing enhancements for Wazuh Indexer, we need to define and document the fields for the modules that produce stateful data. The specific modules in scope are:
These fields will be essential for ensuring consistent and comprehensive data handling across the platform.
Requirements