Define fields for stateful modules data

[vikman90]

Parent issue::

• https://github.com/wazuh/wazuh-indexer/issues/270

Description

As part of the ongoing enhancements for Wazuh Indexer, we need to define and document the fields for the modules that produce stateful data. The specific modules in scope are:

1. File Integrity Monitoring (FIM)
2. Security Configuration Assessment (SCA)
3. System Inventory (AKA Syscollector)

These fields will be essential for ensuring consistent and comprehensive data handling across the platform.

Requirements

• Create a table for each module listed above.
• Each table should include the following columns:
  • Field name: The name of the field.
  • ECS field name: Mapping to ECS.
  • Data type: The type of data stored.
  • Description: A brief description of what the field represents.
• Ensure the fields cover all necessary aspects of the data produced by these modules.

[vikman90]

Tables

Based on file: schema_agents.sql

File Integrity Monitoring

	Field name	ECS name	Data type	Description
	full_path	file.path	KEYWORD	Full path of the item
	file	file.name	KEYWORD	File name
	type	file.type	KEYWORD	Type of file
	date	@timestamp	DATE	Entry timestamp
❌	changes		KEYWORD	Type of change
	arch	host.architecture ❓	KEYWORD	System architecture
	value_name	registry.value	KEYWORD	Registry value name
	value_type	registry.data.type	KEYWORD	Registry value type
	size	file.size	LONG	File size in bytes
	perm	file.mode ❗	KEYWORD	File permissions
	uid	file.uid	LONG	User ID of file owner
	gid	file.gid	LONG	Group ID of file owner
	md5	file.hash.md5	KEYWORD	MD5 hash
	sha1	file.hash.sha1	KEYWORD	SHA1 hash
	uname	file.owner	KEYWORD	User name
	gname	file.group	KEYWORD	Group name
	mtime	file.mtime	DATE	Last modification time
	inode	file.inode	LONG	Inode number
	sha256	file.hash.sha256	KEYWORD	SHA256 hash
	attributes	file.attributes	KEYWORD	File attributes
	symbolic_path	file.target_path	KEYWORD	Symbolic link path
❌	checksum		KEYWORD	File checksum

❗Requires some changes in the agent's FIM module.

[cborla]

Tables

Based on file: schema_agents.sql

Security Configuration Assessment (SCA)

sca_check

	Field name	ECS field name	Data type	Description
❌	scan_id	sca_scan_info.id	INTEGER	Reference to the scan information
	id		INTEGER	Primary key for the check
	policy_id	sca_policy.id	KEYWORD	Reference to the policy
	title	rule.name ❓	TEXT	Title of the check
	description	rule.description	TEXT	Description of the check
	rationale		TEXT	Rationale behind the check
	remediation		TEXT	Steps for remediation
	file	file.path	KEYWORD	File related to the check
	process	process.name	KEYWORD	Process related to the check
	directory	file.directory	KEYWORD	Directory related to the check
	registry	registry.path	KEYWORD	Registry related to the check
	command	process.command_line	TEXT	Command related to the check
	references	rule.reference	TEXT	References for the check
	result	event.outcome	KEYWORD	Result of the check
	reason		TEXT	Reason for the result
	condition		TEXT	Condition that triggers the check

❌ sca_scan_info

	Field name	ECS field name	Data type	Description
❌	id		INTEGER	Primary key for the scan information
❌	start_scan	event.start	DATE	Timestamp when the scan started
❌	end_scan	event.end	DATE	Timestamp when the scan ended
❌	policy_id	sca_policy.id	KEYWORD	Reference to the policy
❌	pass		INTEGER	Number of passed checks
❌	fail		INTEGER	Number of failed checks
❌	invalid		INTEGER	Number of invalid checks
❌	total_checks		INTEGER	Total number of checks performed
❌	score		INTEGER	Score of the scan
❌	hash	file.hash.md5	KEYWORD	Hash of the scan information

❌ sca_policy

	Field name	ECS field name	Data type	Description
❌	name		TEXT	Name of the policy
❌	file	file.path	KEYWORD	File associated with the policy
❌	id		KEYWORD	Unique identifier for the policy
❌	description		TEXT	Description of the policy
❌	references	rule.reference	TEXT	References for the policy
❌	hash_file	file.hash.md5	KEYWORD	Hash of the policy file

❌ sca_check_rules

	Field name	ECS field name	Data type	Description
❌	id_check	sca_check.id	INTEGER	Reference to the check ID
❌	type		KEYWORD	Type of the rule
❌	rule		TEXT	Rule associated with the check

❌ sca_check_compliance

	Field name	ECS field name	Data type	Description
❌	id_check	sca_check.id	INTEGER	Reference to the check ID
❌	key		KEYWORD	Compliance key
❌	value		KEYWORD	Value associated with the compliance key

[cborla]

Tables

Based on file: schema_agents.sql

System Inventory (Syscollector)

sys_osinfo

Field name	ECS field name	Data type	Description
❌	scan_id		KEYWORD	Scan identifier
	scan_time	@timestamp	DATE	Tinestamp of the scan
	hostname	host.hostname	KEYWORD	Hostname of the system
	architecture	host.architecture	KEYWORD	System architecture
	os_name	os.name	KEYWORD	Name of the operating system
	os_version	os.version	KEYWORD	Version of the operating system
	os_codename	os.codename	KEYWORD	Code name of the operating system
	os_major	os.version_major	KEYWORD	Major version number of the operating system
	os_minor	os.version_minor	KEYWORD	Minor version number of the operating system
	os_patch	os.version_patch	KEYWORD	Patch version number of the operating system
	os_build	os.build	KEYWORD	Build version of the operating system
	os_platform	os.platform	KEYWORD	Platform of the operating system
	sysname		TEXT ❓	System name
	release		KEYWORD	System release
	version		KEYWORD	System version
	os_release	os.version	TEXT	Operating system release version
❌	checksum	file.hash.md5	KEYWORD	Checksum of the scan
❌	os_display_version	os.version	TEXT	Display version of the operating system
❌	reference		TEXT	Reference information

sys_netiface

	Field name	ECS field name	Data type	Description
❌	scan_id		KEYWORD	Scan identifier
	scan_time	@timestamp	DATE	Timestamp of the scan
	name	network.name	KEYWORD	Name of the network interface
	adapter		KEYWORD	Adapter name of the network interface
	type	network.type	KEYWORD	Type of the network interface
	state	network.state	KEYWORD	State of the network interface
	mtu	network.mtu	INTEGER	Maximum transmission unit size
	mac	network.mac	KEYWORD	MAC address of the network interface
	tx_packets	network.out.packets	INTEGER	Number of transmitted packets
	rx_packets	network.in.packets	INTEGER	Number of received packets
	tx_bytes	network.out.bytes	INTEGER	Number of transmitted bytes
	rx_bytes	network.in.bytes	INTEGER	Number of received bytes
	tx_errors	network.out.errors	INTEGER	Number of transmission errors
	rx_errors	network.in.errors	INTEGER	Number of reception errors
	tx_dropped	network.out.dropped	INTEGER	Number of dropped transmitted packets
	rx_dropped	network.in.dropped	INTEGER	Number of dropped received packets
❌	checksum	file.hash.md5	KEYWORD	Checksum of the scan
	item_id		KEYWORD	Unique identifier for the network interface item

sys_netproto

	Field name	ECS field name	Data type	Description
❌	scan_id	sys_netiface.scan_id	KEYWORD	Reference to the scan information
	iface	sys_netiface.name	KEYWORD	Name of the network interface
	type	network.type	KEYWORD	Type of network protocol
	gateway	network.gateway	KEYWORD	Gateway address
	dhcp	network.dhcp	KEYWORD	DHCP status (enabled, disabled, unknown, BOOTP)
	metric	network.metric	INTEGER	Metric of the network protocol
❌	checksum	file.hash.md5	KEYWORD	Checksum of the scan
	item_id		KEYWORD	Unique identifier for the network protocol item

sys_netaddr

	Field name	ECS field name	Data type	Description
❌	scan_id	sys_netproto.scan_id	KEYWORD	Reference to the scan information
	iface	sys_netproto.iface	KEYWORD	Name of the network interface
	proto	sys_netproto.type	KEYWORD	Type of network protocol
	address	source.address	KEYWORD	Network address
	netmask	network.netmask	KEYWORD	Network mask
	broadcast	network.broadcast	KEYWORD	Broadcast address
❌	checksum	file.hash.md5	KEYWORD	Checksum of the scan
	item_id		KEYWORD	Unique identifier for the network address item

sys_hwinfo

	Field name	ECS field name	Data type	Description
❌	scan_id		KEYWORD	Scan identifier
	scan_time	@timestamp	DATE	Timestamp of the scan
	board_serial	system.board.serial_number	KEYWORD	Serial number of the motherboard
	cpu_name	host.cpu.name	KEYWORD	Name of the CPU
	cpu_cores	host.cpu.cores	INTEGER	Number of CPU cores
	cpu_mhz	host.cpu.speed	FLOAT	Speed of the CPU in MHz
	ram_total	host.memory.total	INTEGER	Total RAM in the system
	ram_free	host.memory.free	INTEGER	Free RAM in the system
	ram_usage	host.memory.used.pct	INTEGER	RAM usage as a percentage
❌	checksum	file.hash.md5	KEYWORD	Checksum of the scan

sys_ports

	Field name	ECS field name	Data type	Description
❌	scan_id		KEYWORD	Scan identifier
	scan_time	@timestamp	DATE	Timestamp of the scan
	protocol	network.protocol	KEYWORD	Protocol used
	local_ip	source.ip	KEYWORD	Local IP address
	local_port	source.port	INTEGER	Local port number
	remote_ip	destination.ip	KEYWORD	Remote IP address
	remote_port	destination.port	INTEGER	Remote port number
	tx_queue	network.out.queue	INTEGER	Transmit queue length
	rx_queue	network.in.queue	INTEGER	Receive queue length
	inode	system.network.inode	INTEGER	Inode number
	state	network.transport	KEYWORD	State of the connection
	PID	process.pid	INTEGER	Process ID
	process	process.name	KEYWORD	Process name
❌	checksum	file.hash.md5	KEYWORD	Checksum of the scan
	item_id		KEYWORD	Unique identifier for the network port item

sys_programs

	Field name	ECS field name	Data type	Description
❌	scan_id		KEYWORD	Scan identifier
	scan_time	@timestamp	DATE	Timestamp of the scan
	format	package.format	KEYWORD	Format of the program
	name	package.name	KEYWORD	Name of the program
	priority	package.priority	KEYWORD	Priority of the program
	section	package.section	KEYWORD	Section of the program
	size	package.size	INTEGER	Size of the program
	vendor	package.vendor	KEYWORD	Vendor of the program
	install_time	package.install_time	DATE	Installation time of the program
	version	package.version	KEYWORD	Version of the program
	architecture	host.architecture	KEYWORD	Architecture of the program
	multiarch	package.multiarch	KEYWORD	Multi-architecture compatibility
	source	package.source	KEYWORD	Source of the program
	description	package.description	TEXT	Description of the program
	location	package.location	KEYWORD	Location of the program
	cpe		KEYWORD	Common Platform Enumeration (CPE) identifier
	msu_name	package.msu.name	KEYWORD	Name of the Microsoft Software Update (MSU) package
❌	checksum	file.hash.md5	KEYWORD	Checksum of the scan
	item_id		KEYWORD	Unique identifier for the program item

sys_hotfixes

	Field name	ECS field name	Data type	Description
❌	scan_id		KEYWORD	Scan identifier
	scan_time	@timestamp	DATE	Timestamp of the scan
	hotfix	update.name	KEYWORD	Name of the hotfix
❌	checksum	file.hash.md5	KEYWORD	Checksum of the scan

sys_processes

	Field name	ECS field name	Data type	Description
❌	scan_id		KEYWORD	Scan identifier
	scan_time	@timestamp	DATE	Timestamp of the scan
	pid	process.pid	KEYWORD	Process ID
	name	process.name	KEYWORD	Name of the process
	state	process.state	KEYWORD	State of the process
	ppid	process.ppid	INTEGER	Parent process ID
	utime	process.cpu.user	INTEGER	User mode CPU time
	stime	process.cpu.system	INTEGER	Kernel mode CPU time
	cmd	process.command_line	TEXT	Command executed
	argvs	process.args	TEXT	Command line arguments
	euser	user.effective.id	KEYWORD	Effective user ID
	ruser	user.id	KEYWORD	Real user ID
	suser	user.saved.id	KEYWORD	Saved user ID
	egroup	group.effective.id	KEYWORD	Effective group ID
	rgroup	group.id	KEYWORD	Real group ID
	sgroup	group.saved.id	KEYWORD	Saved group ID
	fgroup	group.file.id	KEYWORD	File group ID
	priority	process.priority	INTEGER	Process priority
	nice	process.nice	INTEGER	Nice value
	size	process.size	INTEGER	Process size
	vm_size	process.vm.size	INTEGER	Virtual memory size
	resident	process.memory.resident	INTEGER	Resident set size
	share	process.memory.share	INTEGER	Shared memory size
	start_time	process.start	DATE	Process start time
	pgrp	process.group	INTEGER	Process group ID
	session	process.session	INTEGER	Session ID
	nlwp	process.nlwp	INTEGER	Number of light-weight processes
	tgid	process.tgid	INTEGER	Thread group ID
	tty	process.tty	INTEGER	Controlling terminal
	processor	host.cpu.processor	INTEGER	Processor number
❌	checksum	file.hash.md5	KEYWORD	Checksum of the scan

[vikman90]

We reopen this issue.

For the specific case of the operating system inventory, we will need:

1. Create a new table with examples of each current field, for Linux, Windows and macOS.
2. Define with @dwordcito which fields are necessary for Vulnerability Detection.

[vikman90]

OS inventory table

Field	Linux	Windows	macOS
scan_id	0	0	0
scan_time	2024/06/28 12:06:56	2024/06/28 12:12:44	2024/06/28 12:07:39
hostname	Rocket	ROCKET	Vikmans-MacBook-Pro.local
architecture	x86_64	x86_64	arm64
os_name	Ubuntu	Microsoft Windows 11 Pro	macOS
os_version	24.04 LTS (Noble Numbat)	10.0.22631.3737	14.5
os_codename	noble		Sonoma
os_major	24	10	14
os_minor	04	0	5
os_build			23F79
os_platform	ubuntu	22631.3737	darwin
sysname	Linux	windows	Darwin
release	5.15.153.1-microsoft-standard-WSL2	2009	23.5.0
version	#1 SMP Fri Mar 29 23:14:13 UTC 2024	1719576763000555500	Darwin Kernel Version 23.5.0: Wed May 1 20:13:18 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T6030
checksum	1719576416746634351	23H2	1719576458594152
reference	d0241780a708ba1e2a1a54762c15b2e3c75aabc8	c6be314466fb7ad4d7a78462fc3d05c49231fbd5	2419f871e6668f5f4e67c75fbb92b3ab48e830f4