search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

Validate API reorganization - `catalog` command #4041

Closed roronoasins closed 1 year ago

roronoasins commented 1 year ago
Target version Development issue Development PR Test planning QA Epic
5.0.0 https://github.com/wazuh/wazuh/issues/16156 https://github.com/wazuh/wazuh/pull/16235 https://github.com/wazuh/wazuh-qa/issues/4011 https://github.com/wazuh/wazuh-qa/issues/4037

Description

The purpose of this issue is to verify the API reorganization by testing this time using the API's socket the following commads:

Proposed cases

The list subcommand has been deprecated

Scenario Outline 1: catalog - get already loaded items by their type ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is get And the parameters contains "" within the name And the parameters contains " within the name Then all the already loaded "" will be listed Examples: | type | format | |---------------|-------------| | decoder | json | | schema | json | | policy | json | | output | json | | filter | json | | decoder | yaml | | schema | yaml | | policy | yaml | | output | yaml | | filter | yaml | | decoder | yml | | schema | yml | | policy | yml | | output | yml | | filter | yml | ```
Scenario 2: catalog - get not loaded items by their type ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is get And the parameters contains an item type that it is not supported within the name Then the api response will contain an error ```
Scenario Outline 3: catalog - get already loaded items by their name ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is get And the parameters contains "" and item's id as name Then all the already loaded "" for that name will be listed Examples: | type | |---------------| | decoder | | schema | | policy | | output | | filter | ```
Scenario Outline 4: catalog - get not loaded items by their name ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is get And the parameters contains "" and item's id as name Then the api response will contain an error Examples: | type | |---------------| | decoder | | schema | | policy | | output | | filter | ```
Scenario Outline 5: catalog - get already loaded items by their version ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is get And the parameters contains "" and items' id and version as name And the parameters contains " within the name Then all the already loaded "" for that name will be listed Examples: | type | format | |---------------|-------------| | decoder | json | | schema | json | | policy | json | | output | json | | filter | json | | decoder | yaml | | schema | yaml | | policy | yaml | | output | yaml | | filter | yaml | | decoder | yml | | schema | yml | | policy | yml | | output | yml | | filter | yml | ```
Scenario Outline 6: catalog - get not loaded items by their version ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is get And the parameters contains "" and items' id and version as name Then the api response will contain an error Examples: | type | |---------------| | decoder | | schema | | environment | | output | | rule | | filter | ```
Scenario 7: catalog - get a non-existing collection type ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is get And the parameters contains an item name that does not exist Then the api response will contain an error ```
Scenario Outline 8: catalog - update an item ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is update And the parameters contains "" and items' id and version as name And the json file is provided Then the request will succeed Examples: | type | |---------------| | decoder | | schema | | environment | | output | | rule | | filter | ```
Scenario Outline 9: catalog - update a non-existing item ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is update And the parameters contains wrong items' "" And the json file is provided Then the response will contain an error Examples: | field | |------------| | id | | version | ```
Scenario Outline 10: catalog - create an item ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is create And the parameters contains "" to create And the json file is provided Then the response will return as success And the item can be obtained by using the get subcommand Examples: | type | |---------------| | decoder | | schema | | policy | | output | | filter | ```
Scenario 11: catalog - create an already existing item ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is create And the parameters contains the type and content to create And the json file is provided Then the response will contain an error And the already existing item was not modified And the item can be obtained by using the get subcommand ```
Scenario 12: catalog - create a non-existing item type ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is create And the parameters contains a type that is not supported And the json file is provided Then the response will contain an error And the already loaded items did not change ```
Scenario Outline 13: catalog - delete a loaded item ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is delete And the parameters contains a loaded "" Then the response will succeed And the item can't be obtained by using the get subcommand Examples: | type | |---------------| | decoder | | schema | | policy | | output | | filter | ```
Scenario Outline 14: catalog - delete a loaded item id ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is delete And the parameters contains a loaded "" and its id Then the response will succeed And the item can't be obtained by using the get subcommand Examples: | type | |---------------| | decoder | | schema | | policy | | output | | filter | ```
Scenario Outline 15: catalog - delete a loaded item version ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is delete And the parameters contains a loaded "", its id and version Then the response will succeed And the item can't be obtained by using the get subcommand Examples: | type | |---------------| | decoder | | schema | | policy | | output | | filter | ```
Scenario Outline 16: catalog - delete a non-existing item ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is delete And the parameters contains a non-existing "" Then the response will contain an error Examples: | type | |---------------| | decoder | | schema | | policy | | output | | filter | ```
Scenario Outline 17: catalog - delete a non-existing item version ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is delete And the parameters contains a non-existing "" version Then the response will contain an error Examples: | type | |---------------| | decoder | | schema | | policy | | output | | filter | ```
Scenario 18: use a not valid name parameter format ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request parameter has more fields than expected Then the response will contain an error ```
Scenario Outline 19: catalog - validate a item type with valid syntax ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is validate And the parameters contains the item "" name and file Then the response will succeed Examples: | type | |--------------------------| | decoder | | schema | | policy | | output | | filter | ```
Scenario Outline 20: catalog - validate a decoder with some missing section ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request subcommand is validate And the parameters contains the decoder name and the file And the file does not contain the "
" section Then the response will contain an error if there is no name section Examples: | section | |------------| | name | | sources | | check | | parse | ```
Scenario 21: catalog - validate an item with non-valid formatting ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request parameter format is json And the request parameter content has no valid format Then the response will contain an error ```
Scenario 22: catalog - validate an item with wrong name parameter value ```Gherkin Given a manager with the engine And the ruleset loaded When requesting to the engine's api socket And the request parameter name has not the name that appears within the content parameter Then the response will contain an error ```

Status

roronoasins commented 1 year ago

Review data

Tester PR commit
@roronoasins https://github.com/wazuh/wazuh/pull/16235/commits/95553e1bd7183263ad0fcb2c023576dfb7d77eda

Testing environment

OS OS version Deployment Image/AMI Notes
Ubuntu 20.04 Vagrant generic/ubuntu2004 The environment used for these tests was set up using the development team's file vagrantfile

Tested packages

The manager was built from sources using the engine's dev branch

Settings

custom script ```python import json import google.protobuf.json_format from proto_code import engine_pb2, catalog_pb2 from struct import pack, unpack from socket import socket, AF_UNIX, SOCK_STREAM # wazuh query template query_template = { "version": 1, "origin": { "name": "engine", "module": "api" } } ENGINE_SOCKET = '/var/ossec/queue/sockets/engine-api' class Engine: def __init__(self): self.proto_command = None self.command = None self.subcommand = None self.parameters = None def get_proto_response_status(status): return engine_pb2.ReturnStatus.Value(status) def get_api_parameters(self): return self.parameters def get_api_command(self): return self.command def get_engine_api_response_data(self): return json.loads(self.query)['data'] def set_api_command(self): self.command = f"{self.proto_command}/{self.subcommand}" def set_api_query(self): self.query = self.generate_api_query() def generate_api_query(self): query_template['command'] = self.get_api_command() query_template['parameters'] = self.get_api_parameters() return query_template def perform_api_query(self): sock = socket(AF_UNIX, SOCK_STREAM) sock.connect(ENGINE_SOCKET) print(f"Query: {self.query}") msg = json.dumps(self.query).encode() sock.send(pack(" 1: print('---------\n') ```
roronoasins commented 1 year ago

Scenario Outline 1: catalog - get already loaded items by their type

Since the format is required for the api endpoint, also the formats need to be tested

Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder'}}
Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder'}}
Response: {"data":{"status":"ERROR","error":"Missing or invalid /format parameter"},"error":0}
root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine#

the format is required, while via CLI it is not

The json and yaml were checked with

Get the already loaded decoders as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"decoder/core-rootcheck\",\"decoder/ciscat\",\"decoder/core-rsyslog\",\"decoder/syscollector-dbsync-host-data\",\"decoder/custom-json\",\"decoder/core-ciscat\",\"decoder/sca\",\"decoder/fim-scan\",\"decoder/upgrade\",\"decoder/fim\",\"decoder/kvdb-agent-update\",\"decoder/core-syscollector\",\"decoder/core-dbsync\",\"decoder/custom2\",\"decoder/dbsync-host-data\",\"decoder/core-localfile\",\"decoder/dbsync\",\"decoder/fim-event\",\"decoder/syscollector-base\",\"decoder/core-syscheck\",\"decoder/syscollector-dbsync\",\"decoder/rootcheck\",\"decoder/core-upgrade\",\"decoder/core-secure\",\"decoder/integrations\",\"decoder/core-hostinfo\",\"decoder/custom\",\"decoder/core-windows\",\"decoder/core-sca\",\"decoder/core-ossec-message\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json ["decoder/core-rootcheck", "decoder/ciscat", "decoder/core-rsyslog", "decoder/syscollector-dbsync-host-data", "decoder/custom-json", "decoder/core-ciscat", "decoder/sca", "decoder/fim-scan", "decoder/upgrade", "decoder/fim", "decoder/kvdb-agent-update", "decoder/core-syscollector", "decoder/core-dbsync", "decoder/custom2", "decoder/dbsync-host-data", "decoder/core-localfile", "decoder/dbsync", "decoder/fim-event", "decoder/syscollector-base", "decoder/core-syscheck", "decoder/syscollector-dbsync", "decoder/rootcheck", "decoder/core-upgrade", "decoder/core-secure", "decoder/integrations", "decoder/core-hostinfo", "decoder/custom", "decoder/core-windows", "decoder/core-sca", "decoder/core-ossec-message"] ``` > Results > > Valid JSON
Get the already loaded decoders as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"- decoder/core-rootcheck\n- decoder/ciscat\n- decoder/core-rsyslog\n- decoder/syscollector-dbsync-host-data\n- decoder/custom-json\n- decoder/core-ciscat\n- decoder/sca\n- decoder/fim-scan\n- decoder/upgrade\n- decoder/fim\n- decoder/kvdb-agent-update\n- decoder/core-syscollector\n- decoder/core-dbsync\n- decoder/custom2\n- decoder/dbsync-host-data\n- decoder/core-localfile\n- decoder/dbsync\n- decoder/fim-event\n- decoder/syscollector-base\n- decoder/core-syscheck\n- decoder/syscollector-dbsync\n- decoder/rootcheck\n- decoder/core-upgrade\n- decoder/core-secure\n- decoder/integrations\n- decoder/core-hostinfo\n- decoder/custom\n- decoder/core-windows\n- decoder/core-sca\n- decoder/core-ossec-message"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - decoder/core-rootcheck - decoder/ciscat - decoder/core-rsyslog - decoder/syscollector-dbsync-host-data - decoder/custom-json - decoder/core-ciscat - decoder/sca - decoder/fim-scan - decoder/upgrade - decoder/fim - decoder/kvdb-agent-update - decoder/core-syscollector - decoder/core-dbsync - decoder/custom2 - decoder/dbsync-host-data - decoder/core-localfile - decoder/dbsync - decoder/fim-event - decoder/syscollector-base - decoder/core-syscheck - decoder/syscollector-dbsync - decoder/rootcheck - decoder/core-upgrade - decoder/core-secure - decoder/integrations - decoder/core-hostinfo - decoder/custom - decoder/core-windows - decoder/core-sca - decoder/core-ossec-message ``` > Results > > Valid YAML!
Get the already loaded decoders as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"- decoder/core-rootcheck\n- decoder/ciscat\n- decoder/core-rsyslog\n- decoder/syscollector-dbsync-host-data\n- decoder/custom-json\n- decoder/core-ciscat\n- decoder/sca\n- decoder/fim-scan\n- decoder/upgrade\n- decoder/fim\n- decoder/kvdb-agent-update\n- decoder/core-syscollector\n- decoder/core-dbsync\n- decoder/custom2\n- decoder/dbsync-host-data\n- decoder/core-localfile\n- decoder/dbsync\n- decoder/fim-event\n- decoder/syscollector-base\n- decoder/core-syscheck\n- decoder/syscollector-dbsync\n- decoder/rootcheck\n- decoder/core-upgrade\n- decoder/core-secure\n- decoder/integrations\n- decoder/core-hostinfo\n- decoder/custom\n- decoder/core-windows\n- decoder/core-sca\n- decoder/core-ossec-message"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - decoder/core-rootcheck - decoder/ciscat - decoder/core-rsyslog - decoder/syscollector-dbsync-host-data - decoder/custom-json - decoder/core-ciscat - decoder/sca - decoder/fim-scan - decoder/upgrade - decoder/fim - decoder/kvdb-agent-update - decoder/core-syscollector - decoder/core-dbsync - decoder/custom2 - decoder/dbsync-host-data - decoder/core-localfile - decoder/dbsync - decoder/fim-event - decoder/syscollector-base - decoder/core-syscheck - decoder/syscollector-dbsync - decoder/rootcheck - decoder/core-upgrade - decoder/core-secure - decoder/integrations - decoder/core-hostinfo - decoder/custom - decoder/core-windows - decoder/core-sca - decoder/core-ossec-message ``` > Results > > Valid YAML!
Get the already loaded schemas as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"schema/wazuh-logpar-types\",\"schema/wazuh-asset\",\"schema/wazuh-policy\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json ["schema/wazuh-logpar-types","schema/wazuh-asset","schema/wazuh-policy"] ``` > Results > > Valid JSON
Get the already loaded schema as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"- schema/wazuh-logpar-types\n- schema/wazuh-asset\n- schema/wazuh-policy"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - schema/wazuh-logpar-types - schema/wazuh-asset - schema/wazuh-policy ``` > Results > > Valid YAML!
Get the already loaded schemas as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"- schema/wazuh-logpar-types\n- schema/wazuh-asset\n- schema/wazuh-policy"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - schema/wazuh-logpar-types - schema/wazuh-asset - schema/wazuh-policy ``` > Results > > Valid YAML!
Get the already loaded policy as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"policy/wazuh\",\"policy/custom\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json ["policy/wazuh", "policy/custom"] ``` > Results > > Valid JSON
Get the already loaded policy as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"- policy/wazuh\n- policy/custom"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - policy/wazuh - policy/custom ``` > Results > > Valid YAML!
Get the already loaded policy as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"- policy/wazuh\n- policy/custom"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - policy/wazuh - policy/custom ``` > Results > > Valid YAML!
Get the already loaded output as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"output/file-output\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json ["output/file-output"] ``` > Results > > Valid JSON
Get the already loaded output as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"- output/file-output"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - output/file-output ``` > Results > > Valid YAML!
Get the already loaded output as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"- output/file-output"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - output/file-output ``` > Results > > Valid YAML!
Get the already loaded filter as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"filter/allow-all\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json ["filter/allow-all"] ``` > Results > > Valid JSON
Get the already loaded filter as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"- filter/allow-all"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - filter/allow-all ``` > Results > > Valid YAML!
Get the already loaded filter as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"- filter/allow-all"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml - filter/allow-all ``` > Results > > Valid YAML!
roronoasins commented 1 year ago

Scenario Outline 2: catalog - get not loaded items by their type

Get a non-existing collection type :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "dede/none", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'dede/none', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'dede/none', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Invalid collection type \"dede\""},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 3: catalog - get already loaded items by their name

Get already loaded decoders :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/integrations", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/integrations', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/integrations', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"decoder/integrations/0\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Get already loaded schema :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/wazuh-policy", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/wazuh-policy', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/wazuh-policy', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"schema/wazuh-policy/0\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Get already loaded policy :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/wazuh", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/wazuh', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/wazuh', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"policy/wazuh/0\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Get already loaded output :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/file-output", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/file-output', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/file-output', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"output/file-output/0\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Get already loaded filter :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/allow-all", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/allow-all', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/allow-all', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"filter/allow-all/0\"]"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 4: catalog - get not loaded items by their name

Get a non-existing decoder :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/none", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/none', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/none', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/none' could not be obtained from store: File '/var/ossec/engine/store/decoder/none' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Get a non-existing schema :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/none", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/none', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/none', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'schema/none' could not be obtained from store: File '/var/ossec/engine/store/schema/none' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Get a non-existing policy :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/none", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/none', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/none', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'policy/none' could not be obtained from store: File '/var/ossec/engine/store/policy/none' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Get a non-existing output :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/none", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/none', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/none', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'output/none' could not be obtained from store: File '/var/ossec/engine/store/output/none' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Get a non-existing filter :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/none", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/none', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/none', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'filter/none' could not be obtained from store: File '/var/ossec/engine/store/filter/none' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
roronoasins commented 1 year ago

Scenario Outline 5: catalog - get already loaded items by their version (I)

Get an already loaded decoder as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/integrations/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/integrations/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/integrations/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"metadata\":{\"title\":\"Base decoder.\"},\"name\":\"decoder/integrations/0\",\"normalize\":[{\"map\":[{\"wazuh.decoders\":\"+array_append/integrations\"}]}],\"sources\":[\"decoder/core-localfile/0\",\"decoder/core-rsyslog/0\",\"decoder/core-windows/0\"]}"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json {"metadata":{"title":"Base decoder."},"name":"decoder/integrations/0","normalize":[{"map":[{"wazuh.decoders":"+array_append/integrations"}]}],"sources":["decoder/core-localfile/0","decoder/core-rsyslog/0","decoder/core-windows/0"]} ``` > Results > > Valid JSON
Get the already loaded decoders by its version as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/integrations/0", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/integrations/0', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/integrations/0', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"metadata:\n title: Base decoder.\nname: decoder/integrations/0\nnormalize:\n - map:\n - wazuh.decoders: +array_append/integrations\nsources:\n - decoder/core-localfile/0\n - decoder/core-rsyslog/0\n - decoder/core-windows/0"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml metadata: title: Base decoder. name: decoder/integrations/0 normalize: - map: - wazuh.decoders: +array_append/integrations sources: - decoder/core-localfile/0 - decoder/core-rsyslog/0 - decoder/core-windows/0 ``` > Results > > Valid YAML!
Get the already loaded decoders by its version as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/integrations/0", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/integrations/0', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/integrations/0', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"metadata:\n title: Base decoder.\nname: decoder/integrations/0\nnormalize:\n - map:\n - wazuh.decoders: +array_append/integrations\nsources:\n - decoder/core-localfile/0\n - decoder/core-rsyslog/0\n - decoder/core-windows/0"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml metadata: title: Base decoder. name: decoder/integrations/0 normalize: - map: - wazuh.decoders: +array_append/integrations sources: - decoder/core-localfile/0 - decoder/core-rsyslog/0 - decoder/core-windows/0 ``` > Results > > Valid YAML! 5. Verify with meld that the content is the same that is obtained with the yaml format 1. Paste both content field data into meld 2. See if there is any highlighted change ``` Files are identical ```
roronoasins commented 1 year ago

Scenario Outline 5: catalog - get already loaded items by their version (II)

Get an already loaded schema by its version as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/wazuh-logpar-types/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/wazuh-logpar-types/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/wazuh-logpar-types/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"name\":\"schema/wazuh-logpar-types/0\",\"fields\":{\"@timestamp\":\"date\",\"agent.build.original\":\"keyword\",\"agent.ephemeral_id\":\"keyword\",\"agent.id\":\"keyword\",\"agent.name\":\"keyword\",\"agent.type\":\"keyword\",\"agent.version\":\"keyword\",\"client.address\":\"keyword\",\"client.as.number\":\"long\",\"client.as.organization.name\":\"keyword\",\"client.bytes\":\"long\",\"client.domain\":\"keyword\",\"client.geo.city_name\":\"keyword\",\"client.geo.continent_code\":\"keyword\",\"client.geo.continent_name\":\"keyword\",\"client.geo.country_iso_code\":\"keyword\",\"client.geo.country_name\":\"keyword\",\"client.geo.location\":\"geo_point\",\"client.geo.name\":\"keyword\",\"client.geo.postal_code\":\"keyword\",\"client.geo.region_iso_code\":\"keyword\",\"client.geo.region_name\":\"keyword\",\"client.geo.timezone\":\"keyword\",\"client.ip\":\"ip\",\"client.mac\":\"keyword\",\"client.nat.ip\":\"ip\",\"client.nat.port\":\"long\",\"client.packets\":\"long\",\"client.port\":\"long\",\"client.registered_domain\":\"keyword\",\"client.subdomain\":\"keyword\",\"client.top_level_domain\":\"keyword\",\"client.user.domain\":\"keyword\",\"client.user.email\":\"keyword\",\"client.user.full_name\":\"keyword\",\"client.user.group.domain\":\"keyword\",\"client.user.group.id\":\"keyword\",\"client.user.group.name\":\"keyword\",\"client.user.hash\":\"keyword\",\"client.user.id\":\"keyword\",\"client.user.name\":\"keyword\",\"client.user.risk.calculated_level\":\"keyword\",\"client.user.risk.calculated_score\":\"float\",\"client.user.risk.calculated_score_norm\":\"float\",\"client.user.risk.static_level\":\"keyword\",\"client.user.risk.static_score\":\"float\",\"client.user.risk.static_score_norm\":\"float\",\"cloud.account.id\":\"keyword\",\"cloud.account.name\":\"keyword\",\"cloud.availability_zone\":\"keyword\",\"cloud.instance.id\":\"keyword\",\"cloud.instance.name\":\"keyword\",\"cloud.machine.type\":\"keyword\",\"cloud.origin.account.id\":\"keyword\",\"cloud.origin.account.name\":\"keyword\",\"cloud.origin.availability_zone\":\"keyword\",\"cloud.origin.instance.id\":\"keyword\",\"cloud.origin.instance.name\":\"keyword\",\"cloud.origin.machine.type\":\"keyword\",\"cloud.origin.project.id\":\"keyword\",\"cloud.origin.project.name\":\"keyword\",\"cloud.origin.provider\":\"keyword\",\"cloud.origin.region\":\"keyword\",\"cloud.origin.service.name\":\"keyword\",\"cloud.project.id\":\"keyword\",\"cloud.project.name\":\"keyword\",\"cloud.provider\":\"keyword\",\"cloud.region\":\"keyword\",\"cloud.service.name\":\"keyword\",\"cloud.target.account.id\":\"keyword\",\"cloud.target.account.name\":\"keyword\",\"cloud.target.availability_zone\":\"keyword\",\"cloud.target.instance.id\":\"keyword\",\"cloud.target.instance.name\":\"keyword\",\"cloud.target.machine.type\":\"keyword\",\"cloud.target.project.id\":\"keyword\",\"cloud.target.project.name\":\"keyword\",\"cloud.target.provider\":\"keyword\",\"cloud.target.region\":\"keyword\",\"cloud.target.service.name\":\"keyword\",\"container.cpu.usage\":\"scaled_float\",\"container.disk.read.bytes\":\"long\",\"container.disk.write.bytes\":\"long\",\"container.id\":\"keyword\",\"container.image.name\":\"keyword\",\"container.memory.usage\":\"scaled_float\",\"container.name\":\"keyword\",\"container.network.egress.bytes\":\"long\",\"container.network.ingress.bytes\":\"long\",\"container.runtime\":\"keyword\",\"data_stream.dataset\":\"keyword\",\"data_stream.namespace\":\"keyword\",\"data_stream.type\":\"keyword\",\"destination.address\":\"keyword\",\"destination.as.number\":\"long\",\"destination.as.organization.name\":\"keyword\",\"destination.bytes\":\"long\",\"destination.domain\":\"keyword\",\"destination.geo.city_name\":\"keyword\",\"destination.geo.continent_code\":\"keyword\",\"destination.geo.continent_name\":\"keyword\",\"destination.geo.country_iso_code\":\"keyword\",\"destination.geo.country_name\":\"keyword\",\"destination.geo.location\":\"geo_point\",\"destination.geo.name\":\"keyword\",\"destination.geo.postal_code\":\"keyword\",\"destination.geo.region_iso_code\":\"keyword\",\"destination.geo.region_name\":\"keyword\",\"destination.geo.timezone\":\"keyword\",\"destination.ip\":\"ip\",\"destination.mac\":\"keyword\",\"destination.nat.ip\":\"ip\",\"destination.nat.port\":\"long\",\"destination.packets\":\"long\",\"destination.port\":\"long\",\"destination.registered_domain\":\"keyword\",\"destination.subdomain\":\"keyword\",\"destination.top_level_domain\":\"keyword\",\"destination.user.domain\":\"keyword\",\"destination.user.email\":\"keyword\",\"destination.user.full_name\":\"keyword\",\"destination.user.group.domain\":\"keyword\",\"destination.user.group.id\":\"keyword\",\"destination.user.group.name\":\"keyword\",\"destination.user.hash\":\"keyword\",\"destination.user.id\":\"keyword\",\"destination.user.name\":\"keyword\",\"destination.user.risk.calculated_level\":\"keyword\",\"destination.user.risk.calculated_score\":\"float\",\"destination.user.risk.calculated_score_norm\":\"float\",\"destination.user.risk.static_level\":\"keyword\",\"destination.user.risk.static_score\":\"float\",\"destination.user.risk.static_score_norm\":\"float\",\"dll.code_signature.digest_algorithm\":\"keyword\",\"dll.code_signature.exists\":\"boolean\",\"dll.code_signature.signing_id\":\"keyword\",\"dll.code_signature.status\":\"keyword\",\"dll.code_signature.subject_name\":\"keyword\",\"dll.code_signature.team_id\":\"keyword\",\"dll.code_signature.timestamp\":\"date\",\"dll.code_signature.trusted\":\"boolean\",\"dll.code_signature.valid\":\"boolean\",\"dll.hash.md5\":\"keyword\",\"dll.hash.sha1\":\"keyword\",\"dll.hash.sha256\":\"keyword\",\"dll.hash.sha384\":\"keyword\",\"dll.hash.sha512\":\"keyword\",\"dll.hash.ssdeep\":\"keyword\",\"dll.hash.tlsh\":\"keyword\",\"dll.name\":\"keyword\",\"dll.path\":\"keyword\",\"dll.pe.architecture\":\"keyword\",\"dll.pe.company\":\"keyword\",\"dll.pe.description\":\"keyword\",\"dll.pe.file_version\":\"keyword\",\"dll.pe.imphash\":\"keyword\",\"dll.pe.original_file_name\":\"keyword\",\"dll.pe.pehash\":\"keyword\",\"dll.pe.product\":\"keyword\",\"dns.id\":\"keyword\",\"dns.op_code\":\"keyword\",\"dns.question.class\":\"keyword\",\"dns.question.name\":\"keyword\",\"dns.question.registered_domain\":\"keyword\",\"dns.question.subdomain\":\"keyword\",\"dns.question.top_level_domain\":\"keyword\",\"dns.question.type\":\"keyword\",\"dns.response_code\":\"keyword\",\"dns.type\":\"keyword\",\"ecs.version\":\"keyword\",\"email.content_type\":\"keyword\",\"email.delivery_timestamp\":\"date\",\"email.direction\":\"keyword\",\"email.local_id\":\"keyword\",\"email.message_id\":\"keyword\",\"email.origination_timestamp\":\"date\",\"email.sender.address\":\"keyword\",\"email.subject\":\"keyword\",\"email.x_mailer\":\"keyword\",\"error.code\":\"keyword\",\"error.id\":\"keyword\",\"error.message\":\"text\",\"error.stack_trace\":\"keyword\",\"error.type\":\"keyword\",\"event.action\":\"keyword\",\"event.agent_id_status\":\"keyword\",\"event.code\":\"keyword\",\"event.created\":\"date\",\"event.dataset\":\"keyword\",\"event.duration\":\"long\",\"event.end\":\"date\",\"event.hash\":\"keyword\",\"event.id\":\"keyword\",\"event.ingested\":\"date\",\"event.kind\":\"keyword\",\"event.module\":\"keyword\",\"event.original\":\"keyword\",\"event.outcome\":\"keyword\",\"event.provider\":\"keyword\",\"event.reason\":\"keyword\",\"event.reference\":\"keyword\",\"event.risk_score\":\"float\",\"event.risk_score_norm\":\"float\",\"event.sequence\":\"long\",\"event.severity\":\"long\",\"event.start\":\"date\",\"event.timezone\":\"keyword\",\"event.url\":\"keyword\",\"faas.coldstart\":\"boolean\",\"faas.execution\":\"keyword\",\"faas.id\":\"keyword\",\"faas.name\":\"keyword\",\"faas.version\":\"keyword\",\"file.accessed\":\"date\",\"file.code_signature.digest_algorithm\":\"keyword\",\"file.code_signature.exists\":\"boolean\",\"file.code_signature.signing_id\":\"keyword\",\"file.code_signature.status\":\"keyword\",\"file.code_signature.subject_name\":\"keyword\",\"file.code_signature.team_id\":\"keyword\",\"file.code_signature.timestamp\":\"date\",\"file.code_signature.trusted\":\"boolean\",\"file.code_signature.valid\":\"boolean\",\"file.created\":\"date\",\"file.ctime\":\"date\",\"file.device\":\"keyword\",\"file.directory\":\"keyword\",\"file.drive_letter\":\"keyword\",\"file.elf.architecture\":\"keyword\",\"file.elf.byte_order\":\"keyword\",\"file.elf.cpu_type\":\"keyword\",\"file.elf.creation_date\":\"date\",\"file.elf.header.abi_version\":\"keyword\",\"file.elf.header.class\":\"keyword\",\"file.elf.header.data\":\"keyword\",\"file.elf.header.entrypoint\":\"long\",\"file.elf.header.object_version\":\"keyword\",\"file.elf.header.os_abi\":\"keyword\",\"file.elf.header.type\":\"keyword\",\"file.elf.header.version\":\"keyword\",\"file.elf.telfhash\":\"keyword\",\"file.extension\":\"keyword\",\"file.fork_name\":\"keyword\",\"file.gid\":\"keyword\",\"file.group\":\"keyword\",\"file.hash.md5\":\"keyword\",\"file.hash.sha1\":\"keyword\",\"file.hash.sha256\":\"keyword\",\"file.hash.sha384\":\"keyword\",\"file.hash.sha512\":\"keyword\",\"file.hash.ssdeep\":\"keyword\",\"file.hash.tlsh\":\"keyword\",\"file.inode\":\"keyword\",\"file.mime_type\":\"keyword\",\"file.mode\":\"keyword\",\"file.mtime\":\"date\",\"file.name\":\"keyword\",\"file.owner\":\"keyword\",\"file.path\":\"keyword\",\"file.pe.architecture\":\"keyword\",\"file.pe.company\":\"keyword\",\"file.pe.description\":\"keyword\",\"file.pe.file_version\":\"keyword\",\"file.pe.imphash\":\"keyword\",\"file.pe.original_file_name\":\"keyword\",\"file.pe.pehash\":\"keyword\",\"file.pe.product\":\"keyword\",\"file.size\":\"long\",\"file.target_path\":\"keyword\",\"file.type\":\"keyword\",\"file.uid\":\"keyword\",\"file.x509.issuer.distinguished_name\":\"keyword\",\"file.x509.not_after\":\"date\",\"file.x509.not_before\":\"date\",\"file.x509.public_key_algorithm\":\"keyword\",\"file.x509.public_key_curve\":\"keyword\",\"file.x509.public_key_exponent\":\"long\",\"file.x509.public_key_size\":\"long\",\"file.x509.serial_number\":\"keyword\",\"file.x509.signature_algorithm\":\"keyword\",\"file.x509.subject.distinguished_name\":\"keyword\",\"file.x509.version_number\":\"keyword\",\"group.domain\":\"keyword\",\"group.id\":\"keyword\",\"group.name\":\"keyword\",\"host.architecture\":\"keyword\",\"host.boot.id\":\"keyword\",\"host.cpu.usage\":\"scaled_float\",\"host.disk.read.bytes\":\"long\",\"host.disk.write.bytes\":\"long\",\"host.domain\":\"keyword\",\"host.geo.city_name\":\"keyword\",\"host.geo.continent_code\":\"keyword\",\"host.geo.continent_name\":\"keyword\",\"host.geo.country_iso_code\":\"keyword\",\"host.geo.country_name\":\"keyword\",\"host.geo.location\":\"geo_point\",\"host.geo.name\":\"keyword\",\"host.geo.postal_code\":\"keyword\",\"host.geo.region_iso_code\":\"keyword\",\"host.geo.region_name\":\"keyword\",\"host.geo.timezone\":\"keyword\",\"host.hostname\":\"keyword\",\"host.id\":\"keyword\",\"host.name\":\"keyword\",\"host.network.egress.bytes\":\"long\",\"host.network.egress.packets\":\"long\",\"host.network.ingress.bytes\":\"long\",\"host.network.ingress.packets\":\"long\",\"host.os.family\":\"keyword\",\"host.os.full\":\"keyword\",\"host.os.kernel\":\"keyword\",\"host.os.name\":\"keyword\",\"host.os.platform\":\"keyword\",\"host.os.type\":\"keyword\",\"host.os.version\":\"keyword\",\"host.pid_ns_ino\":\"keyword\",\"host.risk.calculated_level\":\"keyword\",\"host.risk.calculated_score\":\"float\",\"host.risk.calculated_score_norm\":\"float\",\"host.risk.static_level\":\"keyword\",\"host.risk.static_score\":\"float\",\"host.risk.static_score_norm\":\"float\",\"host.type\":\"keyword\",\"host.uptime\":\"long\",\"http.request.body.bytes\":\"long\",\"http.request.body.content\":\"keyword\",\"http.request.bytes\":\"long\",\"http.request.id\":\"keyword\",\"http.request.method\":\"keyword\",\"http.request.mime_type\":\"keyword\",\"http.request.referrer\":\"keyword\",\"http.response.body.bytes\":\"long\",\"http.response.body.content\":\"keyword\",\"http.response.bytes\":\"long\",\"http.response.mime_type\":\"keyword\",\"http.response.status_code\":\"long\",\"http.version\":\"keyword\",\"log.file.path\":\"keyword\",\"log.level\":\"keyword\",\"log.logger\":\"keyword\",\"log.origin.file.line\":\"long\",\"log.origin.file.name\":\"keyword\",\"log.origin.function\":\"keyword\",\"message\":\"text\",\"network.application\":\"keyword\",\"network.bytes\":\"long\",\"network.community_id\":\"keyword\",\"network.direction\":\"keyword\",\"network.forwarded_ip\":\"ip\",\"network.iana_number\":\"keyword\",\"network.name\":\"keyword\",\"network.packets\":\"long\",\"network.protocol\":\"keyword\",\"network.transport\":\"keyword\",\"network.type\":\"keyword\",\"network.vlan.id\":\"keyword\",\"network.vlan.name\":\"keyword\",\"observer.geo.city_name\":\"keyword\",\"observer.geo.continent_code\":\"keyword\",\"observer.geo.continent_name\":\"keyword\",\"observer.geo.country_iso_code\":\"keyword\",\"observer.geo.country_name\":\"keyword\",\"observer.geo.location\":\"geo_point\",\"observer.geo.name\":\"keyword\",\"observer.geo.postal_code\":\"keyword\",\"observer.geo.region_iso_code\":\"keyword\",\"observer.geo.region_name\":\"keyword\",\"observer.geo.timezone\":\"keyword\",\"observer.hostname\":\"keyword\",\"observer.name\":\"keyword\",\"observer.os.family\":\"keyword\",\"observer.os.full\":\"keyword\",\"observer.os.kernel\":\"keyword\",\"observer.os.name\":\"keyword\",\"observer.os.platform\":\"keyword\",\"observer.os.type\":\"keyword\",\"observer.os.version\":\"keyword\",\"observer.product\":\"keyword\",\"observer.serial_number\":\"keyword\",\"observer.type\":\"keyword\",\"observer.vendor\":\"keyword\",\"observer.version\":\"keyword\",\"orchestrator.api_version\":\"keyword\",\"orchestrator.cluster.id\":\"keyword\",\"orchestrator.cluster.name\":\"keyword\",\"orchestrator.cluster.url\":\"keyword\",\"orchestrator.cluster.version\":\"keyword\",\"orchestrator.namespace\":\"keyword\",\"orchestrator.organization\":\"keyword\",\"orchestrator.resource.id\":\"keyword\",\"orchestrator.resource.name\":\"keyword\",\"orchestrator.resource.parent.type\":\"keyword\",\"orchestrator.resource.type\":\"keyword\",\"orchestrator.type\":\"keyword\",\"organization.id\":\"keyword\",\"organization.name\":\"keyword\",\"package.architecture\":\"keyword\",\"package.build_version\":\"keyword\",\"package.checksum\":\"keyword\",\"package.description\":\"keyword\",\"package.install_scope\":\"keyword\",\"package.installed\":\"date\",\"package.license\":\"keyword\",\"package.name\":\"keyword\",\"package.path\":\"keyword\",\"package.reference\":\"keyword\",\"package.size\":\"long\",\"package.type\":\"keyword\",\"package.version\":\"keyword\",\"process.args_count\":\"long\",\"process.code_signature.digest_algorithm\":\"keyword\",\"process.code_signature.exists\":\"boolean\",\"process.code_signature.signing_id\":\"keyword\",\"process.code_signature.status\":\"keyword\",\"process.code_signature.subject_name\":\"keyword\",\"process.code_signature.team_id\":\"keyword\",\"process.code_signature.timestamp\":\"date\",\"process.code_signature.trusted\":\"boolean\",\"process.code_signature.valid\":\"boolean\",\"process.command_line\":\"keyword\",\"process.elf.architecture\":\"keyword\",\"process.elf.byte_order\":\"keyword\",\"process.elf.cpu_type\":\"keyword\",\"process.elf.creation_date\":\"date\",\"process.elf.header.abi_version\":\"keyword\",\"process.elf.header.class\":\"keyword\",\"process.elf.header.data\":\"keyword\",\"process.elf.header.entrypoint\":\"long\",\"process.elf.header.object_version\":\"keyword\",\"process.elf.header.os_abi\":\"keyword\",\"process.elf.header.type\":\"keyword\",\"process.elf.header.version\":\"keyword\",\"process.elf.telfhash\":\"keyword\",\"process.end\":\"date\",\"process.entity_id\":\"keyword\",\"process.entry_leader.args_count\":\"long\",\"process.entry_leader.attested_groups.name\":\"keyword\",\"process.entry_leader.attested_user.id\":\"keyword\",\"process.entry_leader.attested_user.name\":\"keyword\",\"process.entry_leader.command_line\":\"keyword\",\"process.entry_leader.entity_id\":\"keyword\",\"process.entry_leader.entry_meta.source.ip\":\"ip\",\"process.entry_leader.entry_meta.type\":\"keyword\",\"process.entry_leader.executable\":\"keyword\",\"process.entry_leader.group.id\":\"keyword\",\"process.entry_leader.group.name\":\"keyword\",\"process.entry_leader.interactive\":\"boolean\",\"process.entry_leader.name\":\"keyword\",\"process.entry_leader.parent.entity_id\":\"keyword\",\"process.entry_leader.parent.pid\":\"long\",\"process.entry_leader.parent.session_leader.entity_id\":\"keyword\",\"process.entry_leader.parent.session_leader.pid\":\"long\",\"process.entry_leader.parent.session_leader.start\":\"date\",\"process.entry_leader.parent.start\":\"date\",\"process.entry_leader.pid\":\"long\",\"process.entry_leader.real_group.id\":\"keyword\",\"process.entry_leader.real_group.name\":\"keyword\",\"process.entry_leader.real_user.id\":\"keyword\",\"process.entry_leader.real_user.name\":\"keyword\",\"process.entry_leader.same_as_process\":\"boolean\",\"process.entry_leader.saved_group.id\":\"keyword\",\"process.entry_leader.saved_group.name\":\"keyword\",\"process.entry_leader.saved_user.id\":\"keyword\",\"process.entry_leader.saved_user.name\":\"keyword\",\"process.entry_leader.start\":\"date\",\"process.entry_leader.supplemental_groups.id\":\"keyword\",\"process.entry_leader.supplemental_groups.name\":\"keyword\",\"process.entry_leader.user.id\":\"keyword\",\"process.entry_leader.user.name\":\"keyword\",\"process.entry_leader.working_directory\":\"keyword\",\"process.executable\":\"keyword\",\"process.exit_code\":\"long\",\"process.group_leader.args_count\":\"long\",\"process.group_leader.command_line\":\"keyword\",\"process.group_leader.entity_id\":\"keyword\",\"process.group_leader.executable\":\"keyword\",\"process.group_leader.group.id\":\"keyword\",\"process.group_leader.group.name\":\"keyword\",\"process.group_leader.interactive\":\"boolean\",\"process.group_leader.name\":\"keyword\",\"process.group_leader.pid\":\"long\",\"process.group_leader.real_group.id\":\"keyword\",\"process.group_leader.real_group.name\":\"keyword\",\"process.group_leader.real_user.id\":\"keyword\",\"process.group_leader.real_user.name\":\"keyword\",\"process.group_leader.same_as_process\":\"boolean\",\"process.group_leader.saved_group.id\":\"keyword\",\"process.group_leader.saved_group.name\":\"keyword\",\"process.group_leader.saved_user.id\":\"keyword\",\"process.group_leader.saved_user.name\":\"keyword\",\"process.group_leader.start\":\"date\",\"process.group_leader.supplemental_groups.id\":\"keyword\",\"process.group_leader.supplemental_groups.name\":\"keyword\",\"process.group_leader.user.id\":\"keyword\",\"process.group_leader.user.name\":\"keyword\",\"process.group_leader.working_directory\":\"keyword\",\"process.hash.md5\":\"keyword\",\"process.hash.sha1\":\"keyword\",\"process.hash.sha256\":\"keyword\",\"process.hash.sha384\":\"keyword\",\"process.hash.sha512\":\"keyword\",\"process.hash.ssdeep\":\"keyword\",\"process.hash.tlsh\":\"keyword\",\"process.interactive\":\"boolean\",\"process.name\":\"keyword\",\"process.parent.args_count\":\"long\",\"process.parent.code_signature.digest_algorithm\":\"keyword\",\"process.parent.code_signature.exists\":\"boolean\",\"process.parent.code_signature.signing_id\":\"keyword\",\"process.parent.code_signature.status\":\"keyword\",\"process.parent.code_signature.subject_name\":\"keyword\",\"process.parent.code_signature.team_id\":\"keyword\",\"process.parent.code_signature.timestamp\":\"date\",\"process.parent.code_signature.trusted\":\"boolean\",\"process.parent.code_signature.valid\":\"boolean\",\"process.parent.command_line\":\"keyword\",\"process.parent.elf.architecture\":\"keyword\",\"process.parent.elf.byte_order\":\"keyword\",\"process.parent.elf.cpu_type\":\"keyword\",\"process.parent.elf.creation_date\":\"date\",\"process.parent.elf.header.abi_version\":\"keyword\",\"process.parent.elf.header.class\":\"keyword\",\"process.parent.elf.header.data\":\"keyword\",\"process.parent.elf.header.entrypoint\":\"long\",\"process.parent.elf.header.object_version\":\"keyword\",\"process.parent.elf.header.os_abi\":\"keyword\",\"process.parent.elf.header.type\":\"keyword\",\"process.parent.elf.header.version\":\"keyword\",\"process.parent.elf.telfhash\":\"keyword\",\"process.parent.end\":\"date\",\"process.parent.entity_id\":\"keyword\",\"process.parent.executable\":\"keyword\",\"process.parent.exit_code\":\"long\",\"process.parent.group.id\":\"keyword\",\"process.parent.group.name\":\"keyword\",\"process.parent.group_leader.entity_id\":\"keyword\",\"process.parent.group_leader.pid\":\"long\",\"process.parent.group_leader.start\":\"date\",\"process.parent.hash.md5\":\"keyword\",\"process.parent.hash.sha1\":\"keyword\",\"process.parent.hash.sha256\":\"keyword\",\"process.parent.hash.sha384\":\"keyword\",\"process.parent.hash.sha512\":\"keyword\",\"process.parent.hash.ssdeep\":\"keyword\",\"process.parent.hash.tlsh\":\"keyword\",\"process.parent.interactive\":\"boolean\",\"process.parent.name\":\"keyword\",\"process.parent.pe.architecture\":\"keyword\",\"process.parent.pe.company\":\"keyword\",\"process.parent.pe.description\":\"keyword\",\"process.parent.pe.file_version\":\"keyword\",\"process.parent.pe.imphash\":\"keyword\",\"process.parent.pe.original_file_name\":\"keyword\",\"process.parent.pe.pehash\":\"keyword\",\"process.parent.pe.product\":\"keyword\",\"process.parent.pgid\":\"long\",\"process.parent.pid\":\"long\",\"process.parent.real_group.id\":\"keyword\",\"process.parent.real_group.name\":\"keyword\",\"process.parent.real_user.id\":\"keyword\",\"process.parent.real_user.name\":\"keyword\",\"process.parent.saved_group.id\":\"keyword\",\"process.parent.saved_group.name\":\"keyword\",\"process.parent.saved_user.id\":\"keyword\",\"process.parent.saved_user.name\":\"keyword\",\"process.parent.start\":\"date\",\"process.parent.supplemental_groups.id\":\"keyword\",\"process.parent.supplemental_groups.name\":\"keyword\",\"process.parent.thread.id\":\"long\",\"process.parent.thread.name\":\"keyword\",\"process.parent.title\":\"keyword\",\"process.parent.uptime\":\"long\",\"process.parent.user.id\":\"keyword\",\"process.parent.user.name\":\"keyword\",\"process.parent.working_directory\":\"keyword\",\"process.pe.architecture\":\"keyword\",\"process.pe.company\":\"keyword\",\"process.pe.description\":\"keyword\",\"process.pe.file_version\":\"keyword\",\"process.pe.imphash\":\"keyword\",\"process.pe.original_file_name\":\"keyword\",\"process.pe.pehash\":\"keyword\",\"process.pe.product\":\"keyword\",\"process.pgid\":\"long\",\"process.pid\":\"long\",\"process.previous.args_count\":\"long\",\"process.previous.executable\":\"keyword\",\"process.real_group.id\":\"keyword\",\"process.real_group.name\":\"keyword\",\"process.real_user.id\":\"keyword\",\"process.real_user.name\":\"keyword\",\"process.saved_group.id\":\"keyword\",\"process.saved_group.name\":\"keyword\",\"process.saved_user.id\":\"keyword\",\"process.saved_user.name\":\"keyword\",\"process.session_leader.args_count\":\"long\",\"process.session_leader.command_line\":\"keyword\",\"process.session_leader.entity_id\":\"keyword\",\"process.session_leader.executable\":\"keyword\",\"process.session_leader.group.id\":\"keyword\",\"process.session_leader.group.name\":\"keyword\",\"process.session_leader.interactive\":\"boolean\",\"process.session_leader.name\":\"keyword\",\"process.session_leader.parent.entity_id\":\"keyword\",\"process.session_leader.parent.pid\":\"long\",\"process.session_leader.parent.session_leader.entity_id\":\"keyword\",\"process.session_leader.parent.session_leader.pid\":\"long\",\"process.session_leader.parent.session_leader.start\":\"date\",\"process.session_leader.parent.start\":\"date\",\"process.session_leader.pid\":\"long\",\"process.session_leader.real_group.id\":\"keyword\",\"process.session_leader.real_group.name\":\"keyword\",\"process.session_leader.real_user.id\":\"keyword\",\"process.session_leader.real_user.name\":\"keyword\",\"process.session_leader.same_as_process\":\"boolean\",\"process.session_leader.saved_group.id\":\"keyword\",\"process.session_leader.saved_group.name\":\"keyword\",\"process.session_leader.saved_user.id\":\"keyword\",\"process.session_leader.saved_user.name\":\"keyword\",\"process.session_leader.start\":\"date\",\"process.session_leader.supplemental_groups.id\":\"keyword\",\"process.session_leader.supplemental_groups.name\":\"keyword\",\"process.session_leader.user.id\":\"keyword\",\"process.session_leader.user.name\":\"keyword\",\"process.session_leader.working_directory\":\"keyword\",\"process.start\":\"date\",\"process.supplemental_groups.id\":\"keyword\",\"process.supplemental_groups.name\":\"keyword\",\"process.thread.id\":\"long\",\"process.thread.name\":\"keyword\",\"process.title\":\"keyword\",\"process.uptime\":\"long\",\"process.user.id\":\"keyword\",\"process.user.name\":\"keyword\",\"process.working_directory\":\"keyword\",\"registry.data.bytes\":\"keyword\",\"registry.data.type\":\"keyword\",\"registry.hive\":\"keyword\",\"registry.key\":\"keyword\",\"registry.path\":\"keyword\",\"registry.value\":\"keyword\",\"rule.category\":\"keyword\",\"rule.description\":\"keyword\",\"rule.id\":\"keyword\",\"rule.license\":\"keyword\",\"rule.name\":\"keyword\",\"rule.reference\":\"keyword\",\"rule.ruleset\":\"keyword\",\"rule.uuid\":\"keyword\",\"rule.version\":\"keyword\",\"server.address\":\"keyword\",\"server.as.number\":\"long\",\"server.as.organization.name\":\"keyword\",\"server.bytes\":\"long\",\"server.domain\":\"keyword\",\"server.geo.city_name\":\"keyword\",\"server.geo.continent_code\":\"keyword\",\"server.geo.continent_name\":\"keyword\",\"server.geo.country_iso_code\":\"keyword\",\"server.geo.country_name\":\"keyword\",\"server.geo.location\":\"geo_point\",\"server.geo.name\":\"keyword\",\"server.geo.postal_code\":\"keyword\",\"server.geo.region_iso_code\":\"keyword\",\"server.geo.region_name\":\"keyword\",\"server.geo.timezone\":\"keyword\",\"server.ip\":\"ip\",\"server.mac\":\"keyword\",\"server.nat.ip\":\"ip\",\"server.nat.port\":\"long\",\"server.packets\":\"long\",\"server.port\":\"long\",\"server.registered_domain\":\"keyword\",\"server.subdomain\":\"keyword\",\"server.top_level_domain\":\"keyword\",\"server.user.domain\":\"keyword\",\"server.user.email\":\"keyword\",\"server.user.full_name\":\"keyword\",\"server.user.group.domain\":\"keyword\",\"server.user.group.id\":\"keyword\",\"server.user.group.name\":\"keyword\",\"server.user.hash\":\"keyword\",\"server.user.id\":\"keyword\",\"server.user.name\":\"keyword\",\"server.user.risk.calculated_level\":\"keyword\",\"server.user.risk.calculated_score\":\"float\",\"server.user.risk.calculated_score_norm\":\"float\",\"server.user.risk.static_level\":\"keyword\",\"server.user.risk.static_score\":\"float\",\"server.user.risk.static_score_norm\":\"float\",\"service.address\":\"keyword\",\"service.environment\":\"keyword\",\"service.ephemeral_id\":\"keyword\",\"service.id\":\"keyword\",\"service.name\":\"keyword\",\"service.node.name\":\"keyword\",\"service.node.role\":\"keyword\",\"service.origin.address\":\"keyword\",\"service.origin.environment\":\"keyword\",\"service.origin.ephemeral_id\":\"keyword\",\"service.origin.id\":\"keyword\",\"service.origin.name\":\"keyword\",\"service.origin.node.name\":\"keyword\",\"service.origin.node.role\":\"keyword\",\"service.origin.state\":\"keyword\",\"service.origin.type\":\"keyword\",\"service.origin.version\":\"keyword\",\"service.state\":\"keyword\",\"service.target.address\":\"keyword\",\"service.target.environment\":\"keyword\",\"service.target.ephemeral_id\":\"keyword\",\"service.target.id\":\"keyword\",\"service.target.name\":\"keyword\",\"service.target.node.name\":\"keyword\",\"service.target.node.role\":\"keyword\",\"service.target.state\":\"keyword\",\"service.target.type\":\"keyword\",\"service.target.version\":\"keyword\",\"service.type\":\"keyword\",\"service.version\":\"keyword\",\"source.address\":\"keyword\",\"source.as.number\":\"long\",\"source.as.organization.name\":\"keyword\",\"source.bytes\":\"long\",\"source.domain\":\"keyword\",\"source.geo.city_name\":\"keyword\",\"source.geo.continent_code\":\"keyword\",\"source.geo.continent_name\":\"keyword\",\"source.geo.country_iso_code\":\"keyword\",\"source.geo.country_name\":\"keyword\",\"source.geo.location\":\"geo_point\",\"source.geo.name\":\"keyword\",\"source.geo.postal_code\":\"keyword\",\"source.geo.region_iso_code\":\"keyword\",\"source.geo.region_name\":\"keyword\",\"source.geo.timezone\":\"keyword\",\"source.ip\":\"ip\",\"source.mac\":\"keyword\",\"source.nat.ip\":\"ip\",\"source.nat.port\":\"long\",\"source.packets\":\"long\",\"source.port\":\"long\",\"source.registered_domain\":\"keyword\",\"source.subdomain\":\"keyword\",\"source.top_level_domain\":\"keyword\",\"source.user.domain\":\"keyword\",\"source.user.email\":\"keyword\",\"source.user.full_name\":\"keyword\",\"source.user.group.domain\":\"keyword\",\"source.user.group.id\":\"keyword\",\"source.user.group.name\":\"keyword\",\"source.user.hash\":\"keyword\",\"source.user.id\":\"keyword\",\"source.user.name\":\"keyword\",\"source.user.risk.calculated_level\":\"keyword\",\"source.user.risk.calculated_score\":\"float\",\"source.user.risk.calculated_score_norm\":\"float\",\"source.user.risk.static_level\":\"keyword\",\"source.user.risk.static_score\":\"float\",\"source.user.risk.static_score_norm\":\"float\",\"span.id\":\"keyword\",\"threat.feed.dashboard_id\":\"keyword\",\"threat.feed.description\":\"keyword\",\"threat.feed.name\":\"keyword\",\"threat.feed.reference\":\"keyword\",\"threat.framework\":\"keyword\",\"threat.group.id\":\"keyword\",\"threat.group.name\":\"keyword\",\"threat.group.reference\":\"keyword\",\"threat.indicator.as.number\":\"long\",\"threat.indicator.as.organization.name\":\"keyword\",\"threat.indicator.confidence\":\"keyword\",\"threat.indicator.description\":\"keyword\",\"threat.indicator.email.address\":\"keyword\",\"threat.indicator.file.accessed\":\"date\",\"threat.indicator.file.code_signature.digest_algorithm\":\"keyword\",\"threat.indicator.file.code_signature.exists\":\"boolean\",\"threat.indicator.file.code_signature.signing_id\":\"keyword\",\"threat.indicator.file.code_signature.status\":\"keyword\",\"threat.indicator.file.code_signature.subject_name\":\"keyword\",\"threat.indicator.file.code_signature.team_id\":\"keyword\",\"threat.indicator.file.code_signature.timestamp\":\"date\",\"threat.indicator.file.code_signature.trusted\":\"boolean\",\"threat.indicator.file.code_signature.valid\":\"boolean\",\"threat.indicator.file.created\":\"date\",\"threat.indicator.file.ctime\":\"date\",\"threat.indicator.file.device\":\"keyword\",\"threat.indicator.file.directory\":\"keyword\",\"threat.indicator.file.drive_letter\":\"keyword\",\"threat.indicator.file.elf.architecture\":\"keyword\",\"threat.indicator.file.elf.byte_order\":\"keyword\",\"threat.indicator.file.elf.cpu_type\":\"keyword\",\"threat.indicator.file.elf.creation_date\":\"date\",\"threat.indicator.file.elf.header.abi_version\":\"keyword\",\"threat.indicator.file.elf.header.class\":\"keyword\",\"threat.indicator.file.elf.header.data\":\"keyword\",\"threat.indicator.file.elf.header.entrypoint\":\"long\",\"threat.indicator.file.elf.header.object_version\":\"keyword\",\"threat.indicator.file.elf.header.os_abi\":\"keyword\",\"threat.indicator.file.elf.header.type\":\"keyword\",\"threat.indicator.file.elf.header.version\":\"keyword\",\"threat.indicator.file.elf.telfhash\":\"keyword\",\"threat.indicator.file.extension\":\"keyword\",\"threat.indicator.file.fork_name\":\"keyword\",\"threat.indicator.file.gid\":\"keyword\",\"threat.indicator.file.group\":\"keyword\",\"threat.indicator.file.hash.md5\":\"keyword\",\"threat.indicator.file.hash.sha1\":\"keyword\",\"threat.indicator.file.hash.sha256\":\"keyword\",\"threat.indicator.file.hash.sha384\":\"keyword\",\"threat.indicator.file.hash.sha512\":\"keyword\",\"threat.indicator.file.hash.ssdeep\":\"keyword\",\"threat.indicator.file.hash.tlsh\":\"keyword\",\"threat.indicator.file.inode\":\"keyword\",\"threat.indicator.file.mime_type\":\"keyword\",\"threat.indicator.file.mode\":\"keyword\",\"threat.indicator.file.mtime\":\"date\",\"threat.indicator.file.name\":\"keyword\",\"threat.indicator.file.owner\":\"keyword\",\"threat.indicator.file.path\":\"keyword\",\"threat.indicator.file.pe.architecture\":\"keyword\",\"threat.indicator.file.pe.company\":\"keyword\",\"threat.indicator.file.pe.description\":\"keyword\",\"threat.indicator.file.pe.file_version\":\"keyword\",\"threat.indicator.file.pe.imphash\":\"keyword\",\"threat.indicator.file.pe.original_file_name\":\"keyword\",\"threat.indicator.file.pe.pehash\":\"keyword\",\"threat.indicator.file.pe.product\":\"keyword\",\"threat.indicator.file.size\":\"long\",\"threat.indicator.file.target_path\":\"keyword\",\"threat.indicator.file.type\":\"keyword\",\"threat.indicator.file.uid\":\"keyword\",\"threat.indicator.file.x509.issuer.distinguished_name\":\"keyword\",\"threat.indicator.file.x509.not_after\":\"date\",\"threat.indicator.file.x509.not_before\":\"date\",\"threat.indicator.file.x509.public_key_algorithm\":\"keyword\",\"threat.indicator.file.x509.public_key_curve\":\"keyword\",\"threat.indicator.file.x509.public_key_exponent\":\"long\",\"threat.indicator.file.x509.public_key_size\":\"long\",\"threat.indicator.file.x509.serial_number\":\"keyword\",\"threat.indicator.file.x509.signature_algorithm\":\"keyword\",\"threat.indicator.file.x509.subject.distinguished_name\":\"keyword\",\"threat.indicator.file.x509.version_number\":\"keyword\",\"threat.indicator.first_seen\":\"date\",\"threat.indicator.geo.city_name\":\"keyword\",\"threat.indicator.geo.continent_code\":\"keyword\",\"threat.indicator.geo.continent_name\":\"keyword\",\"threat.indicator.geo.country_iso_code\":\"keyword\",\"threat.indicator.geo.country_name\":\"keyword\",\"threat.indicator.geo.location\":\"geo_point\",\"threat.indicator.geo.name\":\"keyword\",\"threat.indicator.geo.postal_code\":\"keyword\",\"threat.indicator.geo.region_iso_code\":\"keyword\",\"threat.indicator.geo.region_name\":\"keyword\",\"threat.indicator.geo.timezone\":\"keyword\",\"threat.indicator.ip\":\"ip\",\"threat.indicator.last_seen\":\"date\",\"threat.indicator.marking.tlp\":\"keyword\",\"threat.indicator.modified_at\":\"date\",\"threat.indicator.port\":\"long\",\"threat.indicator.provider\":\"keyword\",\"threat.indicator.reference\":\"keyword\",\"threat.indicator.registry.data.bytes\":\"keyword\",\"threat.indicator.registry.data.type\":\"keyword\",\"threat.indicator.registry.hive\":\"keyword\",\"threat.indicator.registry.key\":\"keyword\",\"threat.indicator.registry.path\":\"keyword\",\"threat.indicator.registry.value\":\"keyword\",\"threat.indicator.scanner_stats\":\"long\",\"threat.indicator.sightings\":\"long\",\"threat.indicator.type\":\"keyword\",\"threat.indicator.url.domain\":\"keyword\",\"threat.indicator.url.extension\":\"keyword\",\"threat.indicator.url.fragment\":\"keyword\",\"threat.indicator.url.full\":\"keyword\",\"threat.indicator.url.original\":\"keyword\",\"threat.indicator.url.password\":\"keyword\",\"threat.indicator.url.path\":\"keyword\",\"threat.indicator.url.port\":\"long\",\"threat.indicator.url.query\":\"keyword\",\"threat.indicator.url.registered_domain\":\"keyword\",\"threat.indicator.url.scheme\":\"keyword\",\"threat.indicator.url.subdomain\":\"keyword\",\"threat.indicator.url.top_level_domain\":\"keyword\",\"threat.indicator.url.username\":\"keyword\",\"threat.indicator.x509.issuer.distinguished_name\":\"keyword\",\"threat.indicator.x509.not_after\":\"date\",\"threat.indicator.x509.not_before\":\"date\",\"threat.indicator.x509.public_key_algorithm\":\"keyword\",\"threat.indicator.x509.public_key_curve\":\"keyword\",\"threat.indicator.x509.public_key_exponent\":\"long\",\"threat.indicator.x509.public_key_size\":\"long\",\"threat.indicator.x509.serial_number\":\"keyword\",\"threat.indicator.x509.signature_algorithm\":\"keyword\",\"threat.indicator.x509.subject.distinguished_name\":\"keyword\",\"threat.indicator.x509.version_number\":\"keyword\",\"threat.software.id\":\"keyword\",\"threat.software.name\":\"keyword\",\"threat.software.reference\":\"keyword\",\"threat.software.type\":\"keyword\",\"tls.cipher\":\"keyword\",\"tls.client.certificate\":\"keyword\",\"tls.client.hash.md5\":\"keyword\",\"tls.client.hash.sha1\":\"keyword\",\"tls.client.hash.sha256\":\"keyword\",\"tls.client.issuer\":\"keyword\",\"tls.client.ja3\":\"keyword\",\"tls.client.not_after\":\"date\",\"tls.client.not_before\":\"date\",\"tls.client.server_name\":\"keyword\",\"tls.client.subject\":\"keyword\",\"tls.client.x509.issuer.distinguished_name\":\"keyword\",\"tls.client.x509.not_after\":\"date\",\"tls.client.x509.not_before\":\"date\",\"tls.client.x509.public_key_algorithm\":\"keyword\",\"tls.client.x509.public_key_curve\":\"keyword\",\"tls.client.x509.public_key_exponent\":\"long\",\"tls.client.x509.public_key_size\":\"long\",\"tls.client.x509.serial_number\":\"keyword\",\"tls.client.x509.signature_algorithm\":\"keyword\",\"tls.client.x509.subject.distinguished_name\":\"keyword\",\"tls.client.x509.version_number\":\"keyword\",\"tls.curve\":\"keyword\",\"tls.established\":\"boolean\",\"tls.next_protocol\":\"keyword\",\"tls.resumed\":\"boolean\",\"tls.server.certificate\":\"keyword\",\"tls.server.hash.md5\":\"keyword\",\"tls.server.hash.sha1\":\"keyword\",\"tls.server.hash.sha256\":\"keyword\",\"tls.server.issuer\":\"keyword\",\"tls.server.ja3s\":\"keyword\",\"tls.server.not_after\":\"date\",\"tls.server.not_before\":\"date\",\"tls.server.subject\":\"keyword\",\"tls.server.x509.issuer.distinguished_name\":\"keyword\",\"tls.server.x509.not_after\":\"date\",\"tls.server.x509.not_before\":\"date\",\"tls.server.x509.public_key_algorithm\":\"keyword\",\"tls.server.x509.public_key_curve\":\"keyword\",\"tls.server.x509.public_key_exponent\":\"long\",\"tls.server.x509.public_key_size\":\"long\",\"tls.server.x509.serial_number\":\"keyword\",\"tls.server.x509.signature_algorithm\":\"keyword\",\"tls.server.x509.subject.distinguished_name\":\"keyword\",\"tls.server.x509.version_number\":\"keyword\",\"tls.version\":\"keyword\",\"tls.version_protocol\":\"keyword\",\"trace.id\":\"keyword\",\"transaction.id\":\"keyword\",\"url.domain\":\"keyword\",\"url.extension\":\"keyword\",\"url.fragment\":\"keyword\",\"url.full\":\"keyword\",\"url.original\":\"keyword\",\"url.password\":\"keyword\",\"url.path\":\"keyword\",\"url.port\":\"long\",\"url.query\":\"keyword\",\"url.registered_domain\":\"keyword\",\"url.scheme\":\"keyword\",\"url.subdomain\":\"keyword\",\"url.top_level_domain\":\"keyword\",\"url.username\":\"keyword\",\"user.changes.domain\":\"keyword\",\"user.changes.email\":\"keyword\",\"user.changes.full_name\":\"keyword\",\"user.changes.group.domain\":\"keyword\",\"user.changes.group.id\":\"keyword\",\"user.changes.group.name\":\"keyword\",\"user.changes.hash\":\"keyword\",\"user.changes.id\":\"keyword\",\"user.changes.name\":\"keyword\",\"user.changes.risk.calculated_level\":\"keyword\",\"user.changes.risk.calculated_score\":\"float\",\"user.changes.risk.calculated_score_norm\":\"float\",\"user.changes.risk.static_level\":\"keyword\",\"user.changes.risk.static_score\":\"float\",\"user.changes.risk.static_score_norm\":\"float\",\"user.domain\":\"keyword\",\"user.effective.domain\":\"keyword\",\"user.effective.email\":\"keyword\",\"user.effective.full_name\":\"keyword\",\"user.effective.group.domain\":\"keyword\",\"user.effective.group.id\":\"keyword\",\"user.effective.group.name\":\"keyword\",\"user.effective.hash\":\"keyword\",\"user.effective.id\":\"keyword\",\"user.effective.name\":\"keyword\",\"user.effective.risk.calculated_level\":\"keyword\",\"user.effective.risk.calculated_score\":\"float\",\"user.effective.risk.calculated_score_norm\":\"float\",\"user.effective.risk.static_level\":\"keyword\",\"user.effective.risk.static_score\":\"float\",\"user.effective.risk.static_score_norm\":\"float\",\"user.email\":\"keyword\",\"user.full_name\":\"keyword\",\"user.group.domain\":\"keyword\",\"user.group.id\":\"keyword\",\"user.group.name\":\"keyword\",\"user.hash\":\"keyword\",\"user.id\":\"keyword\",\"user.name\":\"keyword\",\"user.risk.calculated_level\":\"keyword\",\"user.risk.calculated_score\":\"float\",\"user.risk.calculated_score_norm\":\"float\",\"user.risk.static_level\":\"keyword\",\"user.risk.static_score\":\"float\",\"user.risk.static_score_norm\":\"float\",\"user.target.domain\":\"keyword\",\"user.target.email\":\"keyword\",\"user.target.full_name\":\"keyword\",\"user.target.group.domain\":\"keyword\",\"user.target.group.id\":\"keyword\",\"user.target.group.name\":\"keyword\",\"user.target.hash\":\"keyword\",\"user.target.id\":\"keyword\",\"user.target.name\":\"keyword\",\"user.target.risk.calculated_level\":\"keyword\",\"user.target.risk.calculated_score\":\"float\",\"user.target.risk.calculated_score_norm\":\"float\",\"user.target.risk.static_level\":\"keyword\",\"user.target.risk.static_score\":\"float\",\"user.target.risk.static_score_norm\":\"float\",\"user_agent.device.name\":\"keyword\",\"user_agent.name\":\"keyword\",\"user_agent.original\":\"keyword\",\"user_agent.os.family\":\"keyword\",\"user_agent.os.full\":\"keyword\",\"user_agent.os.kernel\":\"keyword\",\"user_agent.os.name\":\"keyword\",\"user_agent.os.platform\":\"keyword\",\"user_agent.os.type\":\"keyword\",\"user_agent.os.version\":\"keyword\",\"user_agent.version\":\"keyword\",\"vulnerability.classification\":\"keyword\",\"vulnerability.description\":\"keyword\",\"vulnerability.enumeration\":\"keyword\",\"vulnerability.id\":\"keyword\",\"vulnerability.reference\":\"keyword\",\"vulnerability.report_id\":\"keyword\",\"vulnerability.scanner.vendor\":\"keyword\",\"vulnerability.score.base\":\"float\",\"vulnerability.score.environmental\":\"float\",\"vulnerability.score.temporal\":\"float\",\"vulnerability.score.version\":\"keyword\",\"vulnerability.severity\":\"keyword\",\"wazuh.queue\":\"long\",\"wazuh.location\":\"text\",\"wazuh.message\":\"text\",\"wazuh.origin\":\"keyword\",\"wazuh.registered_ip\":\"keyword\",\"wazuh.source\":\"keyword\",\"url\":\"url\",\"user_agent\":\"useragent\"}}"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json {"name":"schema/wazuh-logpar-types/0","fields":{"@timestamp":"date","agent.build.original":"keyword","agent.ephemeral_id":"keyword","agent.id":"keyword","agent.name":"keyword","agent.type":"keyword","agent.version":"keyword","client.address":"keyword","client.as.number":"long","client.as.organization.name":"keyword","client.bytes":"long","client.domain":"keyword","client.geo.city_name":"keyword","client.geo.continent_code":"keyword","client.geo.continent_name":"keyword","client.geo.country_iso_code":"keyword","client.geo.country_name":"keyword","client.geo.location":"geo_point","client.geo.name":"keyword","client.geo.postal_code":"keyword","client.geo.region_iso_code":"keyword","client.geo.region_name":"keyword","client.geo.timezone":"keyword","client.ip":"ip","client.mac":"keyword","client.nat.ip":"ip","client.nat.port":"long","client.packets":"long","client.port":"long","client.registered_domain":"keyword","client.subdomain":"keyword","client.top_level_domain":"keyword","client.user.domain":"keyword","client.user.email":"keyword","client.user.full_name":"keyword","client.user.group.domain":"keyword","client.user.group.id":"keyword","client.user.group.name":"keyword","client.user.hash":"keyword","client.user.id":"keyword","client.user.name":"keyword","client.user.risk.calculated_level":"keyword","client.user.risk.calculated_score":"float","client.user.risk.calculated_score_norm":"float","client.user.risk.static_level":"keyword","client.user.risk.static_score":"float","client.user.risk.static_score_norm":"float","cloud.account.id":"keyword","cloud.account.name":"keyword","cloud.availability_zone":"keyword","cloud.instance.id":"keyword","cloud.instance.name":"keyword","cloud.machine.type":"keyword","cloud.origin.account.id":"keyword","cloud.origin.account.name":"keyword","cloud.origin.availability_zone":"keyword","cloud.origin.instance.id":"keyword","cloud.origin.instance.name":"keyword","cloud.origin.machine.type":"keyword","cloud.origin.project.id":"keyword","cloud.origin.project.name":"keyword","cloud.origin.provider":"keyword","cloud.origin.region":"keyword","cloud.origin.service.name":"keyword","cloud.project.id":"keyword","cloud.project.name":"keyword","cloud.provider":"keyword","cloud.region":"keyword","cloud.service.name":"keyword","cloud.target.account.id":"keyword","cloud.target.account.name":"keyword","cloud.target.availability_zone":"keyword","cloud.target.instance.id":"keyword","cloud.target.instance.name":"keyword","cloud.target.machine.type":"keyword","cloud.target.project.id":"keyword","cloud.target.project.name":"keyword","cloud.target.provider":"keyword","cloud.target.region":"keyword","cloud.target.service.name":"keyword","container.cpu.usage":"scaled_float","container.disk.read.bytes":"long","container.disk.write.bytes":"long","container.id":"keyword","container.image.name":"keyword","container.memory.usage":"scaled_float","container.name":"keyword","container.network.egress.bytes":"long","container.network.ingress.bytes":"long","container.runtime":"keyword","data_stream.dataset":"keyword","data_stream.namespace":"keyword","data_stream.type":"keyword","destination.address":"keyword","destination.as.number":"long","destination.as.organization.name":"keyword","destination.bytes":"long","destination.domain":"keyword","destination.geo.city_name":"keyword","destination.geo.continent_code":"keyword","destination.geo.continent_name":"keyword","destination.geo.country_iso_code":"keyword","destination.geo.country_name":"keyword","destination.geo.location":"geo_point","destination.geo.name":"keyword","destination.geo.postal_code":"keyword","destination.geo.region_iso_code":"keyword","destination.geo.region_name":"keyword","destination.geo.timezone":"keyword","destination.ip":"ip","destination.mac":"keyword","destination.nat.ip":"ip","destination.nat.port":"long","destination.packets":"long","destination.port":"long","destination.registered_domain":"keyword","destination.subdomain":"keyword","destination.top_level_domain":"keyword","destination.user.domain":"keyword","destination.user.email":"keyword","destination.user.full_name":"keyword","destination.user.group.domain":"keyword","destination.user.group.id":"keyword","destination.user.group.name":"keyword","destination.user.hash":"keyword","destination.user.id":"keyword","destination.user.name":"keyword","destination.user.risk.calculated_level":"keyword","destination.user.risk.calculated_score":"float","destination.user.risk.calculated_score_norm":"float","destination.user.risk.static_level":"keyword","destination.user.risk.static_score":"float","destination.user.risk.static_score_norm":"float","dll.code_signature.digest_algorithm":"keyword","dll.code_signature.exists":"boolean","dll.code_signature.signing_id":"keyword","dll.code_signature.status":"keyword","dll.code_signature.subject_name":"keyword","dll.code_signature.team_id":"keyword","dll.code_signature.timestamp":"date","dll.code_signature.trusted":"boolean","dll.code_signature.valid":"boolean","dll.hash.md5":"keyword","dll.hash.sha1":"keyword","dll.hash.sha256":"keyword","dll.hash.sha384":"keyword","dll.hash.sha512":"keyword","dll.hash.ssdeep":"keyword","dll.hash.tlsh":"keyword","dll.name":"keyword","dll.path":"keyword","dll.pe.architecture":"keyword","dll.pe.company":"keyword","dll.pe.description":"keyword","dll.pe.file_version":"keyword","dll.pe.imphash":"keyword","dll.pe.original_file_name":"keyword","dll.pe.pehash":"keyword","dll.pe.product":"keyword","dns.id":"keyword","dns.op_code":"keyword","dns.question.class":"keyword","dns.question.name":"keyword","dns.question.registered_domain":"keyword","dns.question.subdomain":"keyword","dns.question.top_level_domain":"keyword","dns.question.type":"keyword","dns.response_code":"keyword","dns.type":"keyword","ecs.version":"keyword","email.content_type":"keyword","email.delivery_timestamp":"date","email.direction":"keyword","email.local_id":"keyword","email.message_id":"keyword","email.origination_timestamp":"date","email.sender.address":"keyword","email.subject":"keyword","email.x_mailer":"keyword","error.code":"keyword","error.id":"keyword","error.message":"text","error.stack_trace":"keyword","error.type":"keyword","event.action":"keyword","event.agent_id_status":"keyword","event.code":"keyword","event.created":"date","event.dataset":"keyword","event.duration":"long","event.end":"date","event.hash":"keyword","event.id":"keyword","event.ingested":"date","event.kind":"keyword","event.module":"keyword","event.original":"keyword","event.outcome":"keyword","event.provider":"keyword","event.reason":"keyword","event.reference":"keyword","event.risk_score":"float","event.risk_score_norm":"float","event.sequence":"long","event.severity":"long","event.start":"date","event.timezone":"keyword","event.url":"keyword","faas.coldstart":"boolean","faas.execution":"keyword","faas.id":"keyword","faas.name":"keyword","faas.version":"keyword","file.accessed":"date","file.code_signature.digest_algorithm":"keyword","file.code_signature.exists":"boolean","file.code_signature.signing_id":"keyword","file.code_signature.status":"keyword","file.code_signature.subject_name":"keyword","file.code_signature.team_id":"keyword","file.code_signature.timestamp":"date","file.code_signature.trusted":"boolean","file.code_signature.valid":"boolean","file.created":"date","file.ctime":"date","file.device":"keyword","file.directory":"keyword","file.drive_letter":"keyword","file.elf.architecture":"keyword","file.elf.byte_order":"keyword","file.elf.cpu_type":"keyword","file.elf.creation_date":"date","file.elf.header.abi_version":"keyword","file.elf.header.class":"keyword","file.elf.header.data":"keyword","file.elf.header.entrypoint":"long","file.elf.header.object_version":"keyword","file.elf.header.os_abi":"keyword","file.elf.header.type":"keyword","file.elf.header.version":"keyword","file.elf.telfhash":"keyword","file.extension":"keyword","file.fork_name":"keyword","file.gid":"keyword","file.group":"keyword","file.hash.md5":"keyword","file.hash.sha1":"keyword","file.hash.sha256":"keyword","file.hash.sha384":"keyword","file.hash.sha512":"keyword","file.hash.ssdeep":"keyword","file.hash.tlsh":"keyword","file.inode":"keyword","file.mime_type":"keyword","file.mode":"keyword","file.mtime":"date","file.name":"keyword","file.owner":"keyword","file.path":"keyword","file.pe.architecture":"keyword","file.pe.company":"keyword","file.pe.description":"keyword","file.pe.file_version":"keyword","file.pe.imphash":"keyword","file.pe.original_file_name":"keyword","file.pe.pehash":"keyword","file.pe.product":"keyword","file.size":"long","file.target_path":"keyword","file.type":"keyword","file.uid":"keyword","file.x509.issuer.distinguished_name":"keyword","file.x509.not_after":"date","file.x509.not_before":"date","file.x509.public_key_algorithm":"keyword","file.x509.public_key_curve":"keyword","file.x509.public_key_exponent":"long","file.x509.public_key_size":"long","file.x509.serial_number":"keyword","file.x509.signature_algorithm":"keyword","file.x509.subject.distinguished_name":"keyword","file.x509.version_number":"keyword","group.domain":"keyword","group.id":"keyword","group.name":"keyword","host.architecture":"keyword","host.boot.id":"keyword","host.cpu.usage":"scaled_float","host.disk.read.bytes":"long","host.disk.write.bytes":"long","host.domain":"keyword","host.geo.city_name":"keyword","host.geo.continent_code":"keyword","host.geo.continent_name":"keyword","host.geo.country_iso_code":"keyword","host.geo.country_name":"keyword","host.geo.location":"geo_point","host.geo.name":"keyword","host.geo.postal_code":"keyword","host.geo.region_iso_code":"keyword","host.geo.region_name":"keyword","host.geo.timezone":"keyword","host.hostname":"keyword","host.id":"keyword","host.name":"keyword","host.network.egress.bytes":"long","host.network.egress.packets":"long","host.network.ingress.bytes":"long","host.network.ingress.packets":"long","host.os.family":"keyword","host.os.full":"keyword","host.os.kernel":"keyword","host.os.name":"keyword","host.os.platform":"keyword","host.os.type":"keyword","host.os.version":"keyword","host.pid_ns_ino":"keyword","host.risk.calculated_level":"keyword","host.risk.calculated_score":"float","host.risk.calculated_score_norm":"float","host.risk.static_level":"keyword","host.risk.static_score":"float","host.risk.static_score_norm":"float","host.type":"keyword","host.uptime":"long","http.request.body.bytes":"long","http.request.body.content":"keyword","http.request.bytes":"long","http.request.id":"keyword","http.request.method":"keyword","http.request.mime_type":"keyword","http.request.referrer":"keyword","http.response.body.bytes":"long","http.response.body.content":"keyword","http.response.bytes":"long","http.response.mime_type":"keyword","http.response.status_code":"long","http.version":"keyword","log.file.path":"keyword","log.level":"keyword","log.logger":"keyword","log.origin.file.line":"long","log.origin.file.name":"keyword","log.origin.function":"keyword","message":"text","network.application":"keyword","network.bytes":"long","network.community_id":"keyword","network.direction":"keyword","network.forwarded_ip":"ip","network.iana_number":"keyword","network.name":"keyword","network.packets":"long","network.protocol":"keyword","network.transport":"keyword","network.type":"keyword","network.vlan.id":"keyword","network.vlan.name":"keyword","observer.geo.city_name":"keyword","observer.geo.continent_code":"keyword","observer.geo.continent_name":"keyword","observer.geo.country_iso_code":"keyword","observer.geo.country_name":"keyword","observer.geo.location":"geo_point","observer.geo.name":"keyword","observer.geo.postal_code":"keyword","observer.geo.region_iso_code":"keyword","observer.geo.region_name":"keyword","observer.geo.timezone":"keyword","observer.hostname":"keyword","observer.name":"keyword","observer.os.family":"keyword","observer.os.full":"keyword","observer.os.kernel":"keyword","observer.os.name":"keyword","observer.os.platform":"keyword","observer.os.type":"keyword","observer.os.version":"keyword","observer.product":"keyword","observer.serial_number":"keyword","observer.type":"keyword","observer.vendor":"keyword","observer.version":"keyword","orchestrator.api_version":"keyword","orchestrator.cluster.id":"keyword","orchestrator.cluster.name":"keyword","orchestrator.cluster.url":"keyword","orchestrator.cluster.version":"keyword","orchestrator.namespace":"keyword","orchestrator.organization":"keyword","orchestrator.resource.id":"keyword","orchestrator.resource.name":"keyword","orchestrator.resource.parent.type":"keyword","orchestrator.resource.type":"keyword","orchestrator.type":"keyword","organization.id":"keyword","organization.name":"keyword","package.architecture":"keyword","package.build_version":"keyword","package.checksum":"keyword","package.description":"keyword","package.install_scope":"keyword","package.installed":"date","package.license":"keyword","package.name":"keyword","package.path":"keyword","package.reference":"keyword","package.size":"long","package.type":"keyword","package.version":"keyword","process.args_count":"long","process.code_signature.digest_algorithm":"keyword","process.code_signature.exists":"boolean","process.code_signature.signing_id":"keyword","process.code_signature.status":"keyword","process.code_signature.subject_name":"keyword","process.code_signature.team_id":"keyword","process.code_signature.timestamp":"date","process.code_signature.trusted":"boolean","process.code_signature.valid":"boolean","process.command_line":"keyword","process.elf.architecture":"keyword","process.elf.byte_order":"keyword","process.elf.cpu_type":"keyword","process.elf.creation_date":"date","process.elf.header.abi_version":"keyword","process.elf.header.class":"keyword","process.elf.header.data":"keyword","process.elf.header.entrypoint":"long","process.elf.header.object_version":"keyword","process.elf.header.os_abi":"keyword","process.elf.header.type":"keyword","process.elf.header.version":"keyword","process.elf.telfhash":"keyword","process.end":"date","process.entity_id":"keyword","process.entry_leader.args_count":"long","process.entry_leader.attested_groups.name":"keyword","process.entry_leader.attested_user.id":"keyword","process.entry_leader.attested_user.name":"keyword","process.entry_leader.command_line":"keyword","process.entry_leader.entity_id":"keyword","process.entry_leader.entry_meta.source.ip":"ip","process.entry_leader.entry_meta.type":"keyword","process.entry_leader.executable":"keyword","process.entry_leader.group.id":"keyword","process.entry_leader.group.name":"keyword","process.entry_leader.interactive":"boolean","process.entry_leader.name":"keyword","process.entry_leader.parent.entity_id":"keyword","process.entry_leader.parent.pid":"long","process.entry_leader.parent.session_leader.entity_id":"keyword","process.entry_leader.parent.session_leader.pid":"long","process.entry_leader.parent.session_leader.start":"date","process.entry_leader.parent.start":"date","process.entry_leader.pid":"long","process.entry_leader.real_group.id":"keyword","process.entry_leader.real_group.name":"keyword","process.entry_leader.real_user.id":"keyword","process.entry_leader.real_user.name":"keyword","process.entry_leader.same_as_process":"boolean","process.entry_leader.saved_group.id":"keyword","process.entry_leader.saved_group.name":"keyword","process.entry_leader.saved_user.id":"keyword","process.entry_leader.saved_user.name":"keyword","process.entry_leader.start":"date","process.entry_leader.supplemental_groups.id":"keyword","process.entry_leader.supplemental_groups.name":"keyword","process.entry_leader.user.id":"keyword","process.entry_leader.user.name":"keyword","process.entry_leader.working_directory":"keyword","process.executable":"keyword","process.exit_code":"long","process.group_leader.args_count":"long","process.group_leader.command_line":"keyword","process.group_leader.entity_id":"keyword","process.group_leader.executable":"keyword","process.group_leader.group.id":"keyword","process.group_leader.group.name":"keyword","process.group_leader.interactive":"boolean","process.group_leader.name":"keyword","process.group_leader.pid":"long","process.group_leader.real_group.id":"keyword","process.group_leader.real_group.name":"keyword","process.group_leader.real_user.id":"keyword","process.group_leader.real_user.name":"keyword","process.group_leader.same_as_process":"boolean","process.group_leader.saved_group.id":"keyword","process.group_leader.saved_group.name":"keyword","process.group_leader.saved_user.id":"keyword","process.group_leader.saved_user.name":"keyword","process.group_leader.start":"date","process.group_leader.supplemental_groups.id":"keyword","process.group_leader.supplemental_groups.name":"keyword","process.group_leader.user.id":"keyword","process.group_leader.user.name":"keyword","process.group_leader.working_directory":"keyword","process.hash.md5":"keyword","process.hash.sha1":"keyword","process.hash.sha256":"keyword","process.hash.sha384":"keyword","process.hash.sha512":"keyword","process.hash.ssdeep":"keyword","process.hash.tlsh":"keyword","process.interactive":"boolean","process.name":"keyword","process.parent.args_count":"long","process.parent.code_signature.digest_algorithm":"keyword","process.parent.code_signature.exists":"boolean","process.parent.code_signature.signing_id":"keyword","process.parent.code_signature.status":"keyword","process.parent.code_signature.subject_name":"keyword","process.parent.code_signature.team_id":"keyword","process.parent.code_signature.timestamp":"date","process.parent.code_signature.trusted":"boolean","process.parent.code_signature.valid":"boolean","process.parent.command_line":"keyword","process.parent.elf.architecture":"keyword","process.parent.elf.byte_order":"keyword","process.parent.elf.cpu_type":"keyword","process.parent.elf.creation_date":"date","process.parent.elf.header.abi_version":"keyword","process.parent.elf.header.class":"keyword","process.parent.elf.header.data":"keyword","process.parent.elf.header.entrypoint":"long","process.parent.elf.header.object_version":"keyword","process.parent.elf.header.os_abi":"keyword","process.parent.elf.header.type":"keyword","process.parent.elf.header.version":"keyword","process.parent.elf.telfhash":"keyword","process.parent.end":"date","process.parent.entity_id":"keyword","process.parent.executable":"keyword","process.parent.exit_code":"long","process.parent.group.id":"keyword","process.parent.group.name":"keyword","process.parent.group_leader.entity_id":"keyword","process.parent.group_leader.pid":"long","process.parent.group_leader.start":"date","process.parent.hash.md5":"keyword","process.parent.hash.sha1":"keyword","process.parent.hash.sha256":"keyword","process.parent.hash.sha384":"keyword","process.parent.hash.sha512":"keyword","process.parent.hash.ssdeep":"keyword","process.parent.hash.tlsh":"keyword","process.parent.interactive":"boolean","process.parent.name":"keyword","process.parent.pe.architecture":"keyword","process.parent.pe.company":"keyword","process.parent.pe.description":"keyword","process.parent.pe.file_version":"keyword","process.parent.pe.imphash":"keyword","process.parent.pe.original_file_name":"keyword","process.parent.pe.pehash":"keyword","process.parent.pe.product":"keyword","process.parent.pgid":"long","process.parent.pid":"long","process.parent.real_group.id":"keyword","process.parent.real_group.name":"keyword","process.parent.real_user.id":"keyword","process.parent.real_user.name":"keyword","process.parent.saved_group.id":"keyword","process.parent.saved_group.name":"keyword","process.parent.saved_user.id":"keyword","process.parent.saved_user.name":"keyword","process.parent.start":"date","process.parent.supplemental_groups.id":"keyword","process.parent.supplemental_groups.name":"keyword","process.parent.thread.id":"long","process.parent.thread.name":"keyword","process.parent.title":"keyword","process.parent.uptime":"long","process.parent.user.id":"keyword","process.parent.user.name":"keyword","process.parent.working_directory":"keyword","process.pe.architecture":"keyword","process.pe.company":"keyword","process.pe.description":"keyword","process.pe.file_version":"keyword","process.pe.imphash":"keyword","process.pe.original_file_name":"keyword","process.pe.pehash":"keyword","process.pe.product":"keyword","process.pgid":"long","process.pid":"long","process.previous.args_count":"long","process.previous.executable":"keyword","process.real_group.id":"keyword","process.real_group.name":"keyword","process.real_user.id":"keyword","process.real_user.name":"keyword","process.saved_group.id":"keyword","process.saved_group.name":"keyword","process.saved_user.id":"keyword","process.saved_user.name":"keyword","process.session_leader.args_count":"long","process.session_leader.command_line":"keyword","process.session_leader.entity_id":"keyword","process.session_leader.executable":"keyword","process.session_leader.group.id":"keyword","process.session_leader.group.name":"keyword","process.session_leader.interactive":"boolean","process.session_leader.name":"keyword","process.session_leader.parent.entity_id":"keyword","process.session_leader.parent.pid":"long","process.session_leader.parent.session_leader.entity_id":"keyword","process.session_leader.parent.session_leader.pid":"long","process.session_leader.parent.session_leader.start":"date","process.session_leader.parent.start":"date","process.session_leader.pid":"long","process.session_leader.real_group.id":"keyword","process.session_leader.real_group.name":"keyword","process.session_leader.real_user.id":"keyword","process.session_leader.real_user.name":"keyword","process.session_leader.same_as_process":"boolean","process.session_leader.saved_group.id":"keyword","process.session_leader.saved_group.name":"keyword","process.session_leader.saved_user.id":"keyword","process.session_leader.saved_user.name":"keyword","process.session_leader.start":"date","process.session_leader.supplemental_groups.id":"keyword","process.session_leader.supplemental_groups.name":"keyword","process.session_leader.user.id":"keyword","process.session_leader.user.name":"keyword","process.session_leader.working_directory":"keyword","process.start":"date","process.supplemental_groups.id":"keyword","process.supplemental_groups.name":"keyword","process.thread.id":"long","process.thread.name":"keyword","process.title":"keyword","process.uptime":"long","process.user.id":"keyword","process.user.name":"keyword","process.working_directory":"keyword","registry.data.bytes":"keyword","registry.data.type":"keyword","registry.hive":"keyword","registry.key":"keyword","registry.path":"keyword","registry.value":"keyword","rule.category":"keyword","rule.description":"keyword","rule.id":"keyword","rule.license":"keyword","rule.name":"keyword","rule.reference":"keyword","rule.ruleset":"keyword","rule.uuid":"keyword","rule.version":"keyword","server.address":"keyword","server.as.number":"long","server.as.organization.name":"keyword","server.bytes":"long","server.domain":"keyword","server.geo.city_name":"keyword","server.geo.continent_code":"keyword","server.geo.continent_name":"keyword","server.geo.country_iso_code":"keyword","server.geo.country_name":"keyword","server.geo.location":"geo_point","server.geo.name":"keyword","server.geo.postal_code":"keyword","server.geo.region_iso_code":"keyword","server.geo.region_name":"keyword","server.geo.timezone":"keyword","server.ip":"ip","server.mac":"keyword","server.nat.ip":"ip","server.nat.port":"long","server.packets":"long","server.port":"long","server.registered_domain":"keyword","server.subdomain":"keyword","server.top_level_domain":"keyword","server.user.domain":"keyword","server.user.email":"keyword","server.user.full_name":"keyword","server.user.group.domain":"keyword","server.user.group.id":"keyword","server.user.group.name":"keyword","server.user.hash":"keyword","server.user.id":"keyword","server.user.name":"keyword","server.user.risk.calculated_level":"keyword","server.user.risk.calculated_score":"float","server.user.risk.calculated_score_norm":"float","server.user.risk.static_level":"keyword","server.user.risk.static_score":"float","server.user.risk.static_score_norm":"float","service.address":"keyword","service.environment":"keyword","service.ephemeral_id":"keyword","service.id":"keyword","service.name":"keyword","service.node.name":"keyword","service.node.role":"keyword","service.origin.address":"keyword","service.origin.environment":"keyword","service.origin.ephemeral_id":"keyword","service.origin.id":"keyword","service.origin.name":"keyword","service.origin.node.name":"keyword","service.origin.node.role":"keyword","service.origin.state":"keyword","service.origin.type":"keyword","service.origin.version":"keyword","service.state":"keyword","service.target.address":"keyword","service.target.environment":"keyword","service.target.ephemeral_id":"keyword","service.target.id":"keyword","service.target.name":"keyword","service.target.node.name":"keyword","service.target.node.role":"keyword","service.target.state":"keyword","service.target.type":"keyword","service.target.version":"keyword","service.type":"keyword","service.version":"keyword","source.address":"keyword","source.as.number":"long","source.as.organization.name":"keyword","source.bytes":"long","source.domain":"keyword","source.geo.city_name":"keyword","source.geo.continent_code":"keyword","source.geo.continent_name":"keyword","source.geo.country_iso_code":"keyword","source.geo.country_name":"keyword","source.geo.location":"geo_point","source.geo.name":"keyword","source.geo.postal_code":"keyword","source.geo.region_iso_code":"keyword","source.geo.region_name":"keyword","source.geo.timezone":"keyword","source.ip":"ip","source.mac":"keyword","source.nat.ip":"ip","source.nat.port":"long","source.packets":"long","source.port":"long","source.registered_domain":"keyword","source.subdomain":"keyword","source.top_level_domain":"keyword","source.user.domain":"keyword","source.user.email":"keyword","source.user.full_name":"keyword","source.user.group.domain":"keyword","source.user.group.id":"keyword","source.user.group.name":"keyword","source.user.hash":"keyword","source.user.id":"keyword","source.user.name":"keyword","source.user.risk.calculated_level":"keyword","source.user.risk.calculated_score":"float","source.user.risk.calculated_score_norm":"float","source.user.risk.static_level":"keyword","source.user.risk.static_score":"float","source.user.risk.static_score_norm":"float","span.id":"keyword","threat.feed.dashboard_id":"keyword","threat.feed.description":"keyword","threat.feed.name":"keyword","threat.feed.reference":"keyword","threat.framework":"keyword","threat.group.id":"keyword","threat.group.name":"keyword","threat.group.reference":"keyword","threat.indicator.as.number":"long","threat.indicator.as.organization.name":"keyword","threat.indicator.confidence":"keyword","threat.indicator.description":"keyword","threat.indicator.email.address":"keyword","threat.indicator.file.accessed":"date","threat.indicator.file.code_signature.digest_algorithm":"keyword","threat.indicator.file.code_signature.exists":"boolean","threat.indicator.file.code_signature.signing_id":"keyword","threat.indicator.file.code_signature.status":"keyword","threat.indicator.file.code_signature.subject_name":"keyword","threat.indicator.file.code_signature.team_id":"keyword","threat.indicator.file.code_signature.timestamp":"date","threat.indicator.file.code_signature.trusted":"boolean","threat.indicator.file.code_signature.valid":"boolean","threat.indicator.file.created":"date","threat.indicator.file.ctime":"date","threat.indicator.file.device":"keyword","threat.indicator.file.directory":"keyword","threat.indicator.file.drive_letter":"keyword","threat.indicator.file.elf.architecture":"keyword","threat.indicator.file.elf.byte_order":"keyword","threat.indicator.file.elf.cpu_type":"keyword","threat.indicator.file.elf.creation_date":"date","threat.indicator.file.elf.header.abi_version":"keyword","threat.indicator.file.elf.header.class":"keyword","threat.indicator.file.elf.header.data":"keyword","threat.indicator.file.elf.header.entrypoint":"long","threat.indicator.file.elf.header.object_version":"keyword","threat.indicator.file.elf.header.os_abi":"keyword","threat.indicator.file.elf.header.type":"keyword","threat.indicator.file.elf.header.version":"keyword","threat.indicator.file.elf.telfhash":"keyword","threat.indicator.file.extension":"keyword","threat.indicator.file.fork_name":"keyword","threat.indicator.file.gid":"keyword","threat.indicator.file.group":"keyword","threat.indicator.file.hash.md5":"keyword","threat.indicator.file.hash.sha1":"keyword","threat.indicator.file.hash.sha256":"keyword","threat.indicator.file.hash.sha384":"keyword","threat.indicator.file.hash.sha512":"keyword","threat.indicator.file.hash.ssdeep":"keyword","threat.indicator.file.hash.tlsh":"keyword","threat.indicator.file.inode":"keyword","threat.indicator.file.mime_type":"keyword","threat.indicator.file.mode":"keyword","threat.indicator.file.mtime":"date","threat.indicator.file.name":"keyword","threat.indicator.file.owner":"keyword","threat.indicator.file.path":"keyword","threat.indicator.file.pe.architecture":"keyword","threat.indicator.file.pe.company":"keyword","threat.indicator.file.pe.description":"keyword","threat.indicator.file.pe.file_version":"keyword","threat.indicator.file.pe.imphash":"keyword","threat.indicator.file.pe.original_file_name":"keyword","threat.indicator.file.pe.pehash":"keyword","threat.indicator.file.pe.product":"keyword","threat.indicator.file.size":"long","threat.indicator.file.target_path":"keyword","threat.indicator.file.type":"keyword","threat.indicator.file.uid":"keyword","threat.indicator.file.x509.issuer.distinguished_name":"keyword","threat.indicator.file.x509.not_after":"date","threat.indicator.file.x509.not_before":"date","threat.indicator.file.x509.public_key_algorithm":"keyword","threat.indicator.file.x509.public_key_curve":"keyword","threat.indicator.file.x509.public_key_exponent":"long","threat.indicator.file.x509.public_key_size":"long","threat.indicator.file.x509.serial_number":"keyword","threat.indicator.file.x509.signature_algorithm":"keyword","threat.indicator.file.x509.subject.distinguished_name":"keyword","threat.indicator.file.x509.version_number":"keyword","threat.indicator.first_seen":"date","threat.indicator.geo.city_name":"keyword","threat.indicator.geo.continent_code":"keyword","threat.indicator.geo.continent_name":"keyword","threat.indicator.geo.country_iso_code":"keyword","threat.indicator.geo.country_name":"keyword","threat.indicator.geo.location":"geo_point","threat.indicator.geo.name":"keyword","threat.indicator.geo.postal_code":"keyword","threat.indicator.geo.region_iso_code":"keyword","threat.indicator.geo.region_name":"keyword","threat.indicator.geo.timezone":"keyword","threat.indicator.ip":"ip","threat.indicator.last_seen":"date","threat.indicator.marking.tlp":"keyword","threat.indicator.modified_at":"date","threat.indicator.port":"long","threat.indicator.provider":"keyword","threat.indicator.reference":"keyword","threat.indicator.registry.data.bytes":"keyword","threat.indicator.registry.data.type":"keyword","threat.indicator.registry.hive":"keyword","threat.indicator.registry.key":"keyword","threat.indicator.registry.path":"keyword","threat.indicator.registry.value":"keyword","threat.indicator.scanner_stats":"long","threat.indicator.sightings":"long","threat.indicator.type":"keyword","threat.indicator.url.domain":"keyword","threat.indicator.url.extension":"keyword","threat.indicator.url.fragment":"keyword","threat.indicator.url.full":"keyword","threat.indicator.url.original":"keyword","threat.indicator.url.password":"keyword","threat.indicator.url.path":"keyword","threat.indicator.url.port":"long","threat.indicator.url.query":"keyword","threat.indicator.url.registered_domain":"keyword","threat.indicator.url.scheme":"keyword","threat.indicator.url.subdomain":"keyword","threat.indicator.url.top_level_domain":"keyword","threat.indicator.url.username":"keyword","threat.indicator.x509.issuer.distinguished_name":"keyword","threat.indicator.x509.not_after":"date","threat.indicator.x509.not_before":"date","threat.indicator.x509.public_key_algorithm":"keyword","threat.indicator.x509.public_key_curve":"keyword","threat.indicator.x509.public_key_exponent":"long","threat.indicator.x509.public_key_size":"long","threat.indicator.x509.serial_number":"keyword","threat.indicator.x509.signature_algorithm":"keyword","threat.indicator.x509.subject.distinguished_name":"keyword","threat.indicator.x509.version_number":"keyword","threat.software.id":"keyword","threat.software.name":"keyword","threat.software.reference":"keyword","threat.software.type":"keyword","tls.cipher":"keyword","tls.client.certificate":"keyword","tls.client.hash.md5":"keyword","tls.client.hash.sha1":"keyword","tls.client.hash.sha256":"keyword","tls.client.issuer":"keyword","tls.client.ja3":"keyword","tls.client.not_after":"date","tls.client.not_before":"date","tls.client.server_name":"keyword","tls.client.subject":"keyword","tls.client.x509.issuer.distinguished_name":"keyword","tls.client.x509.not_after":"date","tls.client.x509.not_before":"date","tls.client.x509.public_key_algorithm":"keyword","tls.client.x509.public_key_curve":"keyword","tls.client.x509.public_key_exponent":"long","tls.client.x509.public_key_size":"long","tls.client.x509.serial_number":"keyword","tls.client.x509.signature_algorithm":"keyword","tls.client.x509.subject.distinguished_name":"keyword","tls.client.x509.version_number":"keyword","tls.curve":"keyword","tls.established":"boolean","tls.next_protocol":"keyword","tls.resumed":"boolean","tls.server.certificate":"keyword","tls.server.hash.md5":"keyword","tls.server.hash.sha1":"keyword","tls.server.hash.sha256":"keyword","tls.server.issuer":"keyword","tls.server.ja3s":"keyword","tls.server.not_after":"date","tls.server.not_before":"date","tls.server.subject":"keyword","tls.server.x509.issuer.distinguished_name":"keyword","tls.server.x509.not_after":"date","tls.server.x509.not_before":"date","tls.server.x509.public_key_algorithm":"keyword","tls.server.x509.public_key_curve":"keyword","tls.server.x509.public_key_exponent":"long","tls.server.x509.public_key_size":"long","tls.server.x509.serial_number":"keyword","tls.server.x509.signature_algorithm":"keyword","tls.server.x509.subject.distinguished_name":"keyword","tls.server.x509.version_number":"keyword","tls.version":"keyword","tls.version_protocol":"keyword","trace.id":"keyword","transaction.id":"keyword","url.domain":"keyword","url.extension":"keyword","url.fragment":"keyword","url.full":"keyword","url.original":"keyword","url.password":"keyword","url.path":"keyword","url.port":"long","url.query":"keyword","url.registered_domain":"keyword","url.scheme":"keyword","url.subdomain":"keyword","url.top_level_domain":"keyword","url.username":"keyword","user.changes.domain":"keyword","user.changes.email":"keyword","user.changes.full_name":"keyword","user.changes.group.domain":"keyword","user.changes.group.id":"keyword","user.changes.group.name":"keyword","user.changes.hash":"keyword","user.changes.id":"keyword","user.changes.name":"keyword","user.changes.risk.calculated_level":"keyword","user.changes.risk.calculated_score":"float","user.changes.risk.calculated_score_norm":"float","user.changes.risk.static_level":"keyword","user.changes.risk.static_score":"float","user.changes.risk.static_score_norm":"float","user.domain":"keyword","user.effective.domain":"keyword","user.effective.email":"keyword","user.effective.full_name":"keyword","user.effective.group.domain":"keyword","user.effective.group.id":"keyword","user.effective.group.name":"keyword","user.effective.hash":"keyword","user.effective.id":"keyword","user.effective.name":"keyword","user.effective.risk.calculated_level":"keyword","user.effective.risk.calculated_score":"float","user.effective.risk.calculated_score_norm":"float","user.effective.risk.static_level":"keyword","user.effective.risk.static_score":"float","user.effective.risk.static_score_norm":"float","user.email":"keyword","user.full_name":"keyword","user.group.domain":"keyword","user.group.id":"keyword","user.group.name":"keyword","user.hash":"keyword","user.id":"keyword","user.name":"keyword","user.risk.calculated_level":"keyword","user.risk.calculated_score":"float","user.risk.calculated_score_norm":"float","user.risk.static_level":"keyword","user.risk.static_score":"float","user.risk.static_score_norm":"float","user.target.domain":"keyword","user.target.email":"keyword","user.target.full_name":"keyword","user.target.group.domain":"keyword","user.target.group.id":"keyword","user.target.group.name":"keyword","user.target.hash":"keyword","user.target.id":"keyword","user.target.name":"keyword","user.target.risk.calculated_level":"keyword","user.target.risk.calculated_score":"float","user.target.risk.calculated_score_norm":"float","user.target.risk.static_level":"keyword","user.target.risk.static_score":"float","user.target.risk.static_score_norm":"float","user_agent.device.name":"keyword","user_agent.name":"keyword","user_agent.original":"keyword","user_agent.os.family":"keyword","user_agent.os.full":"keyword","user_agent.os.kernel":"keyword","user_agent.os.name":"keyword","user_agent.os.platform":"keyword","user_agent.os.type":"keyword","user_agent.os.version":"keyword","user_agent.version":"keyword","vulnerability.classification":"keyword","vulnerability.description":"keyword","vulnerability.enumeration":"keyword","vulnerability.id":"keyword","vulnerability.reference":"keyword","vulnerability.report_id":"keyword","vulnerability.scanner.vendor":"keyword","vulnerability.score.base":"float","vulnerability.score.environmental":"float","vulnerability.score.temporal":"float","vulnerability.score.version":"keyword","vulnerability.severity":"keyword","wazuh.queue":"long","wazuh.location":"text","wazuh.message":"text","wazuh.origin":"keyword","wazuh.registered_ip":"keyword","wazuh.source":"keyword","url":"url","user_agent":"useragent"}} ``` > Results > > Valid JSON
Get the already loaded schema by its version as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/wazuh-logpar-types/0", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/wazuh-logpar-types/0', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/wazuh-logpar-types/0', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"name: schema/wazuh-logpar-types/0\nfields:\n \"@timestamp\": date\n agent.build.original: keyword\n agent.ephemeral_id: keyword\n agent.id: keyword\n agent.name: keyword\n agent.type: keyword\n agent.version: keyword\n client.address: keyword\n client.as.number: long\n client.as.organization.name: keyword\n client.bytes: long\n client.domain: keyword\n client.geo.city_name: keyword\n client.geo.continent_code: keyword\n client.geo.continent_name: keyword\n client.geo.country_iso_code: keyword\n client.geo.country_name: keyword\n client.geo.location: geo_point\n client.geo.name: keyword\n client.geo.postal_code: keyword\n client.geo.region_iso_code: keyword\n client.geo.region_name: keyword\n client.geo.timezone: keyword\n client.ip: ip\n client.mac: keyword\n client.nat.ip: ip\n client.nat.port: long\n client.packets: long\n client.port: long\n client.registered_domain: keyword\n client.subdomain: keyword\n client.top_level_domain: keyword\n client.user.domain: keyword\n client.user.email: keyword\n client.user.full_name: keyword\n client.user.group.domain: keyword\n client.user.group.id: keyword\n client.user.group.name: keyword\n client.user.hash: keyword\n client.user.id: keyword\n client.user.name: keyword\n client.user.risk.calculated_level: keyword\n client.user.risk.calculated_score: float\n client.user.risk.calculated_score_norm: float\n client.user.risk.static_level: keyword\n client.user.risk.static_score: float\n client.user.risk.static_score_norm: float\n cloud.account.id: keyword\n cloud.account.name: keyword\n cloud.availability_zone: keyword\n cloud.instance.id: keyword\n cloud.instance.name: keyword\n cloud.machine.type: keyword\n cloud.origin.account.id: keyword\n cloud.origin.account.name: keyword\n cloud.origin.availability_zone: keyword\n cloud.origin.instance.id: keyword\n cloud.origin.instance.name: keyword\n cloud.origin.machine.type: keyword\n cloud.origin.project.id: keyword\n cloud.origin.project.name: keyword\n cloud.origin.provider: keyword\n cloud.origin.region: keyword\n cloud.origin.service.name: keyword\n cloud.project.id: keyword\n cloud.project.name: keyword\n cloud.provider: keyword\n cloud.region: keyword\n cloud.service.name: keyword\n cloud.target.account.id: keyword\n cloud.target.account.name: keyword\n cloud.target.availability_zone: keyword\n cloud.target.instance.id: keyword\n cloud.target.instance.name: keyword\n cloud.target.machine.type: keyword\n cloud.target.project.id: keyword\n cloud.target.project.name: keyword\n cloud.target.provider: keyword\n cloud.target.region: keyword\n cloud.target.service.name: keyword\n container.cpu.usage: scaled_float\n container.disk.read.bytes: long\n container.disk.write.bytes: long\n container.id: keyword\n container.image.name: keyword\n container.memory.usage: scaled_float\n container.name: keyword\n container.network.egress.bytes: long\n container.network.ingress.bytes: long\n container.runtime: keyword\n data_stream.dataset: keyword\n data_stream.namespace: keyword\n data_stream.type: keyword\n destination.address: keyword\n destination.as.number: long\n destination.as.organization.name: keyword\n destination.bytes: long\n destination.domain: keyword\n destination.geo.city_name: keyword\n destination.geo.continent_code: keyword\n destination.geo.continent_name: keyword\n destination.geo.country_iso_code: keyword\n destination.geo.country_name: keyword\n destination.geo.location: geo_point\n destination.geo.name: keyword\n destination.geo.postal_code: keyword\n destination.geo.region_iso_code: keyword\n destination.geo.region_name: keyword\n destination.geo.timezone: keyword\n destination.ip: ip\n destination.mac: keyword\n destination.nat.ip: ip\n destination.nat.port: long\n destination.packets: long\n destination.port: long\n destination.registered_domain: keyword\n destination.subdomain: keyword\n destination.top_level_domain: keyword\n destination.user.domain: keyword\n destination.user.email: keyword\n destination.user.full_name: keyword\n destination.user.group.domain: keyword\n destination.user.group.id: keyword\n destination.user.group.name: keyword\n destination.user.hash: keyword\n destination.user.id: keyword\n destination.user.name: keyword\n destination.user.risk.calculated_level: keyword\n destination.user.risk.calculated_score: float\n destination.user.risk.calculated_score_norm: float\n destination.user.risk.static_level: keyword\n destination.user.risk.static_score: float\n destination.user.risk.static_score_norm: float\n dll.code_signature.digest_algorithm: keyword\n dll.code_signature.exists: boolean\n dll.code_signature.signing_id: keyword\n dll.code_signature.status: keyword\n dll.code_signature.subject_name: keyword\n dll.code_signature.team_id: keyword\n dll.code_signature.timestamp: date\n dll.code_signature.trusted: boolean\n dll.code_signature.valid: boolean\n dll.hash.md5: keyword\n dll.hash.sha1: keyword\n dll.hash.sha256: keyword\n dll.hash.sha384: keyword\n dll.hash.sha512: keyword\n dll.hash.ssdeep: keyword\n dll.hash.tlsh: keyword\n dll.name: keyword\n dll.path: keyword\n dll.pe.architecture: keyword\n dll.pe.company: keyword\n dll.pe.description: keyword\n dll.pe.file_version: keyword\n dll.pe.imphash: keyword\n dll.pe.original_file_name: keyword\n dll.pe.pehash: keyword\n dll.pe.product: keyword\n dns.id: keyword\n dns.op_code: keyword\n dns.question.class: keyword\n dns.question.name: keyword\n dns.question.registered_domain: keyword\n dns.question.subdomain: keyword\n dns.question.top_level_domain: keyword\n dns.question.type: keyword\n dns.response_code: keyword\n dns.type: keyword\n ecs.version: keyword\n email.content_type: keyword\n email.delivery_timestamp: date\n email.direction: keyword\n email.local_id: keyword\n email.message_id: keyword\n email.origination_timestamp: date\n email.sender.address: keyword\n email.subject: keyword\n email.x_mailer: keyword\n error.code: keyword\n error.id: keyword\n error.message: text\n error.stack_trace: keyword\n error.type: keyword\n event.action: keyword\n event.agent_id_status: keyword\n event.code: keyword\n event.created: date\n event.dataset: keyword\n event.duration: long\n event.end: date\n event.hash: keyword\n event.id: keyword\n event.ingested: date\n event.kind: keyword\n event.module: keyword\n event.original: keyword\n event.outcome: keyword\n event.provider: keyword\n event.reason: keyword\n event.reference: keyword\n event.risk_score: float\n event.risk_score_norm: float\n event.sequence: long\n event.severity: long\n event.start: date\n event.timezone: keyword\n event.url: keyword\n faas.coldstart: boolean\n faas.execution: keyword\n faas.id: keyword\n faas.name: keyword\n faas.version: keyword\n file.accessed: date\n file.code_signature.digest_algorithm: keyword\n file.code_signature.exists: boolean\n file.code_signature.signing_id: keyword\n file.code_signature.status: keyword\n file.code_signature.subject_name: keyword\n file.code_signature.team_id: keyword\n file.code_signature.timestamp: date\n file.code_signature.trusted: boolean\n file.code_signature.valid: boolean\n file.created: date\n file.ctime: date\n file.device: keyword\n file.directory: keyword\n file.drive_letter: keyword\n file.elf.architecture: keyword\n file.elf.byte_order: keyword\n file.elf.cpu_type: keyword\n file.elf.creation_date: date\n file.elf.header.abi_version: keyword\n file.elf.header.class: keyword\n file.elf.header.data: keyword\n file.elf.header.entrypoint: long\n file.elf.header.object_version: keyword\n file.elf.header.os_abi: keyword\n file.elf.header.type: keyword\n file.elf.header.version: keyword\n file.elf.telfhash: keyword\n file.extension: keyword\n file.fork_name: keyword\n file.gid: keyword\n file.group: keyword\n file.hash.md5: keyword\n file.hash.sha1: keyword\n file.hash.sha256: keyword\n file.hash.sha384: keyword\n file.hash.sha512: keyword\n file.hash.ssdeep: keyword\n file.hash.tlsh: keyword\n file.inode: keyword\n file.mime_type: keyword\n file.mode: keyword\n file.mtime: date\n file.name: keyword\n file.owner: keyword\n file.path: keyword\n file.pe.architecture: keyword\n file.pe.company: keyword\n file.pe.description: keyword\n file.pe.file_version: keyword\n file.pe.imphash: keyword\n file.pe.original_file_name: keyword\n file.pe.pehash: keyword\n file.pe.product: keyword\n file.size: long\n file.target_path: keyword\n file.type: keyword\n file.uid: keyword\n file.x509.issuer.distinguished_name: keyword\n file.x509.not_after: date\n file.x509.not_before: date\n file.x509.public_key_algorithm: keyword\n file.x509.public_key_curve: keyword\n file.x509.public_key_exponent: long\n file.x509.public_key_size: long\n file.x509.serial_number: keyword\n file.x509.signature_algorithm: keyword\n file.x509.subject.distinguished_name: keyword\n file.x509.version_number: keyword\n group.domain: keyword\n group.id: keyword\n group.name: keyword\n host.architecture: keyword\n host.boot.id: keyword\n host.cpu.usage: scaled_float\n host.disk.read.bytes: long\n host.disk.write.bytes: long\n host.domain: keyword\n host.geo.city_name: keyword\n host.geo.continent_code: keyword\n host.geo.continent_name: keyword\n host.geo.country_iso_code: keyword\n host.geo.country_name: keyword\n host.geo.location: geo_point\n host.geo.name: keyword\n host.geo.postal_code: keyword\n host.geo.region_iso_code: keyword\n host.geo.region_name: keyword\n host.geo.timezone: keyword\n host.hostname: keyword\n host.id: keyword\n host.name: keyword\n host.network.egress.bytes: long\n host.network.egress.packets: long\n host.network.ingress.bytes: long\n host.network.ingress.packets: long\n host.os.family: keyword\n host.os.full: keyword\n host.os.kernel: keyword\n host.os.name: keyword\n host.os.platform: keyword\n host.os.type: keyword\n host.os.version: keyword\n host.pid_ns_ino: keyword\n host.risk.calculated_level: keyword\n host.risk.calculated_score: float\n host.risk.calculated_score_norm: float\n host.risk.static_level: keyword\n host.risk.static_score: float\n host.risk.static_score_norm: float\n host.type: keyword\n host.uptime: long\n http.request.body.bytes: long\n http.request.body.content: keyword\n http.request.bytes: long\n http.request.id: keyword\n http.request.method: keyword\n http.request.mime_type: keyword\n http.request.referrer: keyword\n http.response.body.bytes: long\n http.response.body.content: keyword\n http.response.bytes: long\n http.response.mime_type: keyword\n http.response.status_code: long\n http.version: keyword\n log.file.path: keyword\n log.level: keyword\n log.logger: keyword\n log.origin.file.line: long\n log.origin.file.name: keyword\n log.origin.function: keyword\n message: text\n network.application: keyword\n network.bytes: long\n network.community_id: keyword\n network.direction: keyword\n network.forwarded_ip: ip\n network.iana_number: keyword\n network.name: keyword\n network.packets: long\n network.protocol: keyword\n network.transport: keyword\n network.type: keyword\n network.vlan.id: keyword\n network.vlan.name: keyword\n observer.geo.city_name: keyword\n observer.geo.continent_code: keyword\n observer.geo.continent_name: keyword\n observer.geo.country_iso_code: keyword\n observer.geo.country_name: keyword\n observer.geo.location: geo_point\n observer.geo.name: keyword\n observer.geo.postal_code: keyword\n observer.geo.region_iso_code: keyword\n observer.geo.region_name: keyword\n observer.geo.timezone: keyword\n observer.hostname: keyword\n observer.name: keyword\n observer.os.family: keyword\n observer.os.full: keyword\n observer.os.kernel: keyword\n observer.os.name: keyword\n observer.os.platform: keyword\n observer.os.type: keyword\n observer.os.version: keyword\n observer.product: keyword\n observer.serial_number: keyword\n observer.type: keyword\n observer.vendor: keyword\n observer.version: keyword\n orchestrator.api_version: keyword\n orchestrator.cluster.id: keyword\n orchestrator.cluster.name: keyword\n orchestrator.cluster.url: keyword\n orchestrator.cluster.version: keyword\n orchestrator.namespace: keyword\n orchestrator.organization: keyword\n orchestrator.resource.id: keyword\n orchestrator.resource.name: keyword\n orchestrator.resource.parent.type: keyword\n orchestrator.resource.type: keyword\n orchestrator.type: keyword\n organization.id: keyword\n organization.name: keyword\n package.architecture: keyword\n package.build_version: keyword\n package.checksum: keyword\n package.description: keyword\n package.install_scope: keyword\n package.installed: date\n package.license: keyword\n package.name: keyword\n package.path: keyword\n package.reference: keyword\n package.size: long\n package.type: keyword\n package.version: keyword\n process.args_count: long\n process.code_signature.digest_algorithm: keyword\n process.code_signature.exists: boolean\n process.code_signature.signing_id: keyword\n process.code_signature.status: keyword\n process.code_signature.subject_name: keyword\n process.code_signature.team_id: keyword\n process.code_signature.timestamp: date\n process.code_signature.trusted: boolean\n process.code_signature.valid: boolean\n process.command_line: keyword\n process.elf.architecture: keyword\n process.elf.byte_order: keyword\n process.elf.cpu_type: keyword\n process.elf.creation_date: date\n process.elf.header.abi_version: keyword\n process.elf.header.class: keyword\n process.elf.header.data: keyword\n process.elf.header.entrypoint: long\n process.elf.header.object_version: keyword\n process.elf.header.os_abi: keyword\n process.elf.header.type: keyword\n process.elf.header.version: keyword\n process.elf.telfhash: keyword\n process.end: date\n process.entity_id: keyword\n process.entry_leader.args_count: long\n process.entry_leader.attested_groups.name: keyword\n process.entry_leader.attested_user.id: keyword\n process.entry_leader.attested_user.name: keyword\n process.entry_leader.command_line: keyword\n process.entry_leader.entity_id: keyword\n process.entry_leader.entry_meta.source.ip: ip\n process.entry_leader.entry_meta.type: keyword\n process.entry_leader.executable: keyword\n process.entry_leader.group.id: keyword\n process.entry_leader.group.name: keyword\n process.entry_leader.interactive: boolean\n process.entry_leader.name: keyword\n process.entry_leader.parent.entity_id: keyword\n process.entry_leader.parent.pid: long\n process.entry_leader.parent.session_leader.entity_id: keyword\n process.entry_leader.parent.session_leader.pid: long\n process.entry_leader.parent.session_leader.start: date\n process.entry_leader.parent.start: date\n process.entry_leader.pid: long\n process.entry_leader.real_group.id: keyword\n process.entry_leader.real_group.name: keyword\n process.entry_leader.real_user.id: keyword\n process.entry_leader.real_user.name: keyword\n process.entry_leader.same_as_process: boolean\n process.entry_leader.saved_group.id: keyword\n process.entry_leader.saved_group.name: keyword\n process.entry_leader.saved_user.id: keyword\n process.entry_leader.saved_user.name: keyword\n process.entry_leader.start: date\n process.entry_leader.supplemental_groups.id: keyword\n process.entry_leader.supplemental_groups.name: keyword\n process.entry_leader.user.id: keyword\n process.entry_leader.user.name: keyword\n process.entry_leader.working_directory: keyword\n process.executable: keyword\n process.exit_code: long\n process.group_leader.args_count: long\n process.group_leader.command_line: keyword\n process.group_leader.entity_id: keyword\n process.group_leader.executable: keyword\n process.group_leader.group.id: keyword\n process.group_leader.group.name: keyword\n process.group_leader.interactive: boolean\n process.group_leader.name: keyword\n process.group_leader.pid: long\n process.group_leader.real_group.id: keyword\n process.group_leader.real_group.name: keyword\n process.group_leader.real_user.id: keyword\n process.group_leader.real_user.name: keyword\n process.group_leader.same_as_process: boolean\n process.group_leader.saved_group.id: keyword\n process.group_leader.saved_group.name: keyword\n process.group_leader.saved_user.id: keyword\n process.group_leader.saved_user.name: keyword\n process.group_leader.start: date\n process.group_leader.supplemental_groups.id: keyword\n process.group_leader.supplemental_groups.name: keyword\n process.group_leader.user.id: keyword\n process.group_leader.user.name: keyword\n process.group_leader.working_directory: keyword\n process.hash.md5: keyword\n process.hash.sha1: keyword\n process.hash.sha256: keyword\n process.hash.sha384: keyword\n process.hash.sha512: keyword\n process.hash.ssdeep: keyword\n process.hash.tlsh: keyword\n process.interactive: boolean\n process.name: keyword\n process.parent.args_count: long\n process.parent.code_signature.digest_algorithm: keyword\n process.parent.code_signature.exists: boolean\n process.parent.code_signature.signing_id: keyword\n process.parent.code_signature.status: keyword\n process.parent.code_signature.subject_name: keyword\n process.parent.code_signature.team_id: keyword\n process.parent.code_signature.timestamp: date\n process.parent.code_signature.trusted: boolean\n process.parent.code_signature.valid: boolean\n process.parent.command_line: keyword\n process.parent.elf.architecture: keyword\n process.parent.elf.byte_order: keyword\n process.parent.elf.cpu_type: keyword\n process.parent.elf.creation_date: date\n process.parent.elf.header.abi_version: keyword\n process.parent.elf.header.class: keyword\n process.parent.elf.header.data: keyword\n process.parent.elf.header.entrypoint: long\n process.parent.elf.header.object_version: keyword\n process.parent.elf.header.os_abi: keyword\n process.parent.elf.header.type: keyword\n process.parent.elf.header.version: keyword\n process.parent.elf.telfhash: keyword\n process.parent.end: date\n process.parent.entity_id: keyword\n process.parent.executable: keyword\n process.parent.exit_code: long\n process.parent.group.id: keyword\n process.parent.group.name: keyword\n process.parent.group_leader.entity_id: keyword\n process.parent.group_leader.pid: long\n process.parent.group_leader.start: date\n process.parent.hash.md5: keyword\n process.parent.hash.sha1: keyword\n process.parent.hash.sha256: keyword\n process.parent.hash.sha384: keyword\n process.parent.hash.sha512: keyword\n process.parent.hash.ssdeep: keyword\n process.parent.hash.tlsh: keyword\n process.parent.interactive: boolean\n process.parent.name: keyword\n process.parent.pe.architecture: keyword\n process.parent.pe.company: keyword\n process.parent.pe.description: keyword\n process.parent.pe.file_version: keyword\n process.parent.pe.imphash: keyword\n process.parent.pe.original_file_name: keyword\n process.parent.pe.pehash: keyword\n process.parent.pe.product: keyword\n process.parent.pgid: long\n process.parent.pid: long\n process.parent.real_group.id: keyword\n process.parent.real_group.name: keyword\n process.parent.real_user.id: keyword\n process.parent.real_user.name: keyword\n process.parent.saved_group.id: keyword\n process.parent.saved_group.name: keyword\n process.parent.saved_user.id: keyword\n process.parent.saved_user.name: keyword\n process.parent.start: date\n process.parent.supplemental_groups.id: keyword\n process.parent.supplemental_groups.name: keyword\n process.parent.thread.id: long\n process.parent.thread.name: keyword\n process.parent.title: keyword\n process.parent.uptime: long\n process.parent.user.id: keyword\n process.parent.user.name: keyword\n process.parent.working_directory: keyword\n process.pe.architecture: keyword\n process.pe.company: keyword\n process.pe.description: keyword\n process.pe.file_version: keyword\n process.pe.imphash: keyword\n process.pe.original_file_name: keyword\n process.pe.pehash: keyword\n process.pe.product: keyword\n process.pgid: long\n process.pid: long\n process.previous.args_count: long\n process.previous.executable: keyword\n process.real_group.id: keyword\n process.real_group.name: keyword\n process.real_user.id: keyword\n process.real_user.name: keyword\n process.saved_group.id: keyword\n process.saved_group.name: keyword\n process.saved_user.id: keyword\n process.saved_user.name: keyword\n process.session_leader.args_count: long\n process.session_leader.command_line: keyword\n process.session_leader.entity_id: keyword\n process.session_leader.executable: keyword\n process.session_leader.group.id: keyword\n process.session_leader.group.name: keyword\n process.session_leader.interactive: boolean\n process.session_leader.name: keyword\n process.session_leader.parent.entity_id: keyword\n process.session_leader.parent.pid: long\n process.session_leader.parent.session_leader.entity_id: keyword\n process.session_leader.parent.session_leader.pid: long\n process.session_leader.parent.session_leader.start: date\n process.session_leader.parent.start: date\n process.session_leader.pid: long\n process.session_leader.real_group.id: keyword\n process.session_leader.real_group.name: keyword\n process.session_leader.real_user.id: keyword\n process.session_leader.real_user.name: keyword\n process.session_leader.same_as_process: boolean\n process.session_leader.saved_group.id: keyword\n process.session_leader.saved_group.name: keyword\n process.session_leader.saved_user.id: keyword\n process.session_leader.saved_user.name: keyword\n process.session_leader.start: date\n process.session_leader.supplemental_groups.id: keyword\n process.session_leader.supplemental_groups.name: keyword\n process.session_leader.user.id: keyword\n process.session_leader.user.name: keyword\n process.session_leader.working_directory: keyword\n process.start: date\n process.supplemental_groups.id: keyword\n process.supplemental_groups.name: keyword\n process.thread.id: long\n process.thread.name: keyword\n process.title: keyword\n process.uptime: long\n process.user.id: keyword\n process.user.name: keyword\n process.working_directory: keyword\n registry.data.bytes: keyword\n registry.data.type: keyword\n registry.hive: keyword\n registry.key: keyword\n registry.path: keyword\n registry.value: keyword\n rule.category: keyword\n rule.description: keyword\n rule.id: keyword\n rule.license: keyword\n rule.name: keyword\n rule.reference: keyword\n rule.ruleset: keyword\n rule.uuid: keyword\n rule.version: keyword\n server.address: keyword\n server.as.number: long\n server.as.organization.name: keyword\n server.bytes: long\n server.domain: keyword\n server.geo.city_name: keyword\n server.geo.continent_code: keyword\n server.geo.continent_name: keyword\n server.geo.country_iso_code: keyword\n server.geo.country_name: keyword\n server.geo.location: geo_point\n server.geo.name: keyword\n server.geo.postal_code: keyword\n server.geo.region_iso_code: keyword\n server.geo.region_name: keyword\n server.geo.timezone: keyword\n server.ip: ip\n server.mac: keyword\n server.nat.ip: ip\n server.nat.port: long\n server.packets: long\n server.port: long\n server.registered_domain: keyword\n server.subdomain: keyword\n server.top_level_domain: keyword\n server.user.domain: keyword\n server.user.email: keyword\n server.user.full_name: keyword\n server.user.group.domain: keyword\n server.user.group.id: keyword\n server.user.group.name: keyword\n server.user.hash: keyword\n server.user.id: keyword\n server.user.name: keyword\n server.user.risk.calculated_level: keyword\n server.user.risk.calculated_score: float\n server.user.risk.calculated_score_norm: float\n server.user.risk.static_level: keyword\n server.user.risk.static_score: float\n server.user.risk.static_score_norm: float\n service.address: keyword\n service.environment: keyword\n service.ephemeral_id: keyword\n service.id: keyword\n service.name: keyword\n service.node.name: keyword\n service.node.role: keyword\n service.origin.address: keyword\n service.origin.environment: keyword\n service.origin.ephemeral_id: keyword\n service.origin.id: keyword\n service.origin.name: keyword\n service.origin.node.name: keyword\n service.origin.node.role: keyword\n service.origin.state: keyword\n service.origin.type: keyword\n service.origin.version: keyword\n service.state: keyword\n service.target.address: keyword\n service.target.environment: keyword\n service.target.ephemeral_id: keyword\n service.target.id: keyword\n service.target.name: keyword\n service.target.node.name: keyword\n service.target.node.role: keyword\n service.target.state: keyword\n service.target.type: keyword\n service.target.version: keyword\n service.type: keyword\n service.version: keyword\n source.address: keyword\n source.as.number: long\n source.as.organization.name: keyword\n source.bytes: long\n source.domain: keyword\n source.geo.city_name: keyword\n source.geo.continent_code: keyword\n source.geo.continent_name: keyword\n source.geo.country_iso_code: keyword\n source.geo.country_name: keyword\n source.geo.location: geo_point\n source.geo.name: keyword\n source.geo.postal_code: keyword\n source.geo.region_iso_code: keyword\n source.geo.region_name: keyword\n source.geo.timezone: keyword\n source.ip: ip\n source.mac: keyword\n source.nat.ip: ip\n source.nat.port: long\n source.packets: long\n source.port: long\n source.registered_domain: keyword\n source.subdomain: keyword\n source.top_level_domain: keyword\n source.user.domain: keyword\n source.user.email: keyword\n source.user.full_name: keyword\n source.user.group.domain: keyword\n source.user.group.id: keyword\n source.user.group.name: keyword\n source.user.hash: keyword\n source.user.id: keyword\n source.user.name: keyword\n source.user.risk.calculated_level: keyword\n source.user.risk.calculated_score: float\n source.user.risk.calculated_score_norm: float\n source.user.risk.static_level: keyword\n source.user.risk.static_score: float\n source.user.risk.static_score_norm: float\n span.id: keyword\n threat.feed.dashboard_id: keyword\n threat.feed.description: keyword\n threat.feed.name: keyword\n threat.feed.reference: keyword\n threat.framework: keyword\n threat.group.id: keyword\n threat.group.name: keyword\n threat.group.reference: keyword\n threat.indicator.as.number: long\n threat.indicator.as.organization.name: keyword\n threat.indicator.confidence: keyword\n threat.indicator.description: keyword\n threat.indicator.email.address: keyword\n threat.indicator.file.accessed: date\n threat.indicator.file.code_signature.digest_algorithm: keyword\n threat.indicator.file.code_signature.exists: boolean\n threat.indicator.file.code_signature.signing_id: keyword\n threat.indicator.file.code_signature.status: keyword\n threat.indicator.file.code_signature.subject_name: keyword\n threat.indicator.file.code_signature.team_id: keyword\n threat.indicator.file.code_signature.timestamp: date\n threat.indicator.file.code_signature.trusted: boolean\n threat.indicator.file.code_signature.valid: boolean\n threat.indicator.file.created: date\n threat.indicator.file.ctime: date\n threat.indicator.file.device: keyword\n threat.indicator.file.directory: keyword\n threat.indicator.file.drive_letter: keyword\n threat.indicator.file.elf.architecture: keyword\n threat.indicator.file.elf.byte_order: keyword\n threat.indicator.file.elf.cpu_type: keyword\n threat.indicator.file.elf.creation_date: date\n threat.indicator.file.elf.header.abi_version: keyword\n threat.indicator.file.elf.header.class: keyword\n threat.indicator.file.elf.header.data: keyword\n threat.indicator.file.elf.header.entrypoint: long\n threat.indicator.file.elf.header.object_version: keyword\n threat.indicator.file.elf.header.os_abi: keyword\n threat.indicator.file.elf.header.type: keyword\n threat.indicator.file.elf.header.version: keyword\n threat.indicator.file.elf.telfhash: keyword\n threat.indicator.file.extension: keyword\n threat.indicator.file.fork_name: keyword\n threat.indicator.file.gid: keyword\n threat.indicator.file.group: keyword\n threat.indicator.file.hash.md5: keyword\n threat.indicator.file.hash.sha1: keyword\n threat.indicator.file.hash.sha256: keyword\n threat.indicator.file.hash.sha384: keyword\n threat.indicator.file.hash.sha512: keyword\n threat.indicator.file.hash.ssdeep: keyword\n threat.indicator.file.hash.tlsh: keyword\n threat.indicator.file.inode: keyword\n threat.indicator.file.mime_type: keyword\n threat.indicator.file.mode: keyword\n threat.indicator.file.mtime: date\n threat.indicator.file.name: keyword\n threat.indicator.file.owner: keyword\n threat.indicator.file.path: keyword\n threat.indicator.file.pe.architecture: keyword\n threat.indicator.file.pe.company: keyword\n threat.indicator.file.pe.description: keyword\n threat.indicator.file.pe.file_version: keyword\n threat.indicator.file.pe.imphash: keyword\n threat.indicator.file.pe.original_file_name: keyword\n threat.indicator.file.pe.pehash: keyword\n threat.indicator.file.pe.product: keyword\n threat.indicator.file.size: long\n threat.indicator.file.target_path: keyword\n threat.indicator.file.type: keyword\n threat.indicator.file.uid: keyword\n threat.indicator.file.x509.issuer.distinguished_name: keyword\n threat.indicator.file.x509.not_after: date\n threat.indicator.file.x509.not_before: date\n threat.indicator.file.x509.public_key_algorithm: keyword\n threat.indicator.file.x509.public_key_curve: keyword\n threat.indicator.file.x509.public_key_exponent: long\n threat.indicator.file.x509.public_key_size: long\n threat.indicator.file.x509.serial_number: keyword\n threat.indicator.file.x509.signature_algorithm: keyword\n threat.indicator.file.x509.subject.distinguished_name: keyword\n threat.indicator.file.x509.version_number: keyword\n threat.indicator.first_seen: date\n threat.indicator.geo.city_name: keyword\n threat.indicator.geo.continent_code: keyword\n threat.indicator.geo.continent_name: keyword\n threat.indicator.geo.country_iso_code: keyword\n threat.indicator.geo.country_name: keyword\n threat.indicator.geo.location: geo_point\n threat.indicator.geo.name: keyword\n threat.indicator.geo.postal_code: keyword\n threat.indicator.geo.region_iso_code: keyword\n threat.indicator.geo.region_name: keyword\n threat.indicator.geo.timezone: keyword\n threat.indicator.ip: ip\n threat.indicator.last_seen: date\n threat.indicator.marking.tlp: keyword\n threat.indicator.modified_at: date\n threat.indicator.port: long\n threat.indicator.provider: keyword\n threat.indicator.reference: keyword\n threat.indicator.registry.data.bytes: keyword\n threat.indicator.registry.data.type: keyword\n threat.indicator.registry.hive: keyword\n threat.indicator.registry.key: keyword\n threat.indicator.registry.path: keyword\n threat.indicator.registry.value: keyword\n threat.indicator.scanner_stats: long\n threat.indicator.sightings: long\n threat.indicator.type: keyword\n threat.indicator.url.domain: keyword\n threat.indicator.url.extension: keyword\n threat.indicator.url.fragment: keyword\n threat.indicator.url.full: keyword\n threat.indicator.url.original: keyword\n threat.indicator.url.password: keyword\n threat.indicator.url.path: keyword\n threat.indicator.url.port: long\n threat.indicator.url.query: keyword\n threat.indicator.url.registered_domain: keyword\n threat.indicator.url.scheme: keyword\n threat.indicator.url.subdomain: keyword\n threat.indicator.url.top_level_domain: keyword\n threat.indicator.url.username: keyword\n threat.indicator.x509.issuer.distinguished_name: keyword\n threat.indicator.x509.not_after: date\n threat.indicator.x509.not_before: date\n threat.indicator.x509.public_key_algorithm: keyword\n threat.indicator.x509.public_key_curve: keyword\n threat.indicator.x509.public_key_exponent: long\n threat.indicator.x509.public_key_size: long\n threat.indicator.x509.serial_number: keyword\n threat.indicator.x509.signature_algorithm: keyword\n threat.indicator.x509.subject.distinguished_name: keyword\n threat.indicator.x509.version_number: keyword\n threat.software.id: keyword\n threat.software.name: keyword\n threat.software.reference: keyword\n threat.software.type: keyword\n tls.cipher: keyword\n tls.client.certificate: keyword\n tls.client.hash.md5: keyword\n tls.client.hash.sha1: keyword\n tls.client.hash.sha256: keyword\n tls.client.issuer: keyword\n tls.client.ja3: keyword\n tls.client.not_after: date\n tls.client.not_before: date\n tls.client.server_name: keyword\n tls.client.subject: keyword\n tls.client.x509.issuer.distinguished_name: keyword\n tls.client.x509.not_after: date\n tls.client.x509.not_before: date\n tls.client.x509.public_key_algorithm: keyword\n tls.client.x509.public_key_curve: keyword\n tls.client.x509.public_key_exponent: long\n tls.client.x509.public_key_size: long\n tls.client.x509.serial_number: keyword\n tls.client.x509.signature_algorithm: keyword\n tls.client.x509.subject.distinguished_name: keyword\n tls.client.x509.version_number: keyword\n tls.curve: keyword\n tls.established: boolean\n tls.next_protocol: keyword\n tls.resumed: boolean\n tls.server.certificate: keyword\n tls.server.hash.md5: keyword\n tls.server.hash.sha1: keyword\n tls.server.hash.sha256: keyword\n tls.server.issuer: keyword\n tls.server.ja3s: keyword\n tls.server.not_after: date\n tls.server.not_before: date\n tls.server.subject: keyword\n tls.server.x509.issuer.distinguished_name: keyword\n tls.server.x509.not_after: date\n tls.server.x509.not_before: date\n tls.server.x509.public_key_algorithm: keyword\n tls.server.x509.public_key_curve: keyword\n tls.server.x509.public_key_exponent: long\n tls.server.x509.public_key_size: long\n tls.server.x509.serial_number: keyword\n tls.server.x509.signature_algorithm: keyword\n tls.server.x509.subject.distinguished_name: keyword\n tls.server.x509.version_number: keyword\n tls.version: keyword\n tls.version_protocol: keyword\n trace.id: keyword\n transaction.id: keyword\n url.domain: keyword\n url.extension: keyword\n url.fragment: keyword\n url.full: keyword\n url.original: keyword\n url.password: keyword\n url.path: keyword\n url.port: long\n url.query: keyword\n url.registered_domain: keyword\n url.scheme: keyword\n url.subdomain: keyword\n url.top_level_domain: keyword\n url.username: keyword\n user.changes.domain: keyword\n user.changes.email: keyword\n user.changes.full_name: keyword\n user.changes.group.domain: keyword\n user.changes.group.id: keyword\n user.changes.group.name: keyword\n user.changes.hash: keyword\n user.changes.id: keyword\n user.changes.name: keyword\n user.changes.risk.calculated_level: keyword\n user.changes.risk.calculated_score: float\n user.changes.risk.calculated_score_norm: float\n user.changes.risk.static_level: keyword\n user.changes.risk.static_score: float\n user.changes.risk.static_score_norm: float\n user.domain: keyword\n user.effective.domain: keyword\n user.effective.email: keyword\n user.effective.full_name: keyword\n user.effective.group.domain: keyword\n user.effective.group.id: keyword\n user.effective.group.name: keyword\n user.effective.hash: keyword\n user.effective.id: keyword\n user.effective.name: keyword\n user.effective.risk.calculated_level: keyword\n user.effective.risk.calculated_score: float\n user.effective.risk.calculated_score_norm: float\n user.effective.risk.static_level: keyword\n user.effective.risk.static_score: float\n user.effective.risk.static_score_norm: float\n user.email: keyword\n user.full_name: keyword\n user.group.domain: keyword\n user.group.id: keyword\n user.group.name: keyword\n user.hash: keyword\n user.id: keyword\n user.name: keyword\n user.risk.calculated_level: keyword\n user.risk.calculated_score: float\n user.risk.calculated_score_norm: float\n user.risk.static_level: keyword\n user.risk.static_score: float\n user.risk.static_score_norm: float\n user.target.domain: keyword\n user.target.email: keyword\n user.target.full_name: keyword\n user.target.group.domain: keyword\n user.target.group.id: keyword\n user.target.group.name: keyword\n user.target.hash: keyword\n user.target.id: keyword\n user.target.name: keyword\n user.target.risk.calculated_level: keyword\n user.target.risk.calculated_score: float\n user.target.risk.calculated_score_norm: float\n user.target.risk.static_level: keyword\n user.target.risk.static_score: float\n user.target.risk.static_score_norm: float\n user_agent.device.name: keyword\n user_agent.name: keyword\n user_agent.original: keyword\n user_agent.os.family: keyword\n user_agent.os.full: keyword\n user_agent.os.kernel: keyword\n user_agent.os.name: keyword\n user_agent.os.platform: keyword\n user_agent.os.type: keyword\n user_agent.os.version: keyword\n user_agent.version: keyword\n vulnerability.classification: keyword\n vulnerability.description: keyword\n vulnerability.enumeration: keyword\n vulnerability.id: keyword\n vulnerability.reference: keyword\n vulnerability.report_id: keyword\n vulnerability.scanner.vendor: keyword\n vulnerability.score.base: float\n vulnerability.score.environmental: float\n vulnerability.score.temporal: float\n vulnerability.score.version: keyword\n vulnerability.severity: keyword\n wazuh.queue: long\n wazuh.location: text\n wazuh.message: text\n wazuh.origin: keyword\n wazuh.registered_ip: keyword\n wazuh.source: keyword\n url: url\n user_agent: useragent"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml name: schema/wazuh-logpar-types/0 fields: \"@timestamp\": date agent.build.original: keyword agent.ephemeral_id: keyword agent.id: keyword agent.name: keyword agent.type: keyword agent.version: keyword client.address: keyword client.as.number: long client.as.organization.name: keyword client.bytes: long client.domain: keyword client.geo.city_name: keyword client.geo.continent_code: keyword client.geo.continent_name: keyword client.geo.country_iso_code: keyword client.geo.country_name: keyword client.geo.location: geo_point client.geo.name: keyword client.geo.postal_code: keyword client.geo.region_iso_code: keyword client.geo.region_name: keyword client.geo.timezone: keyword client.ip: ip client.mac: keyword client.nat.ip: ip client.nat.port: long client.packets: long client.port: long client.registered_domain: keyword client.subdomain: keyword client.top_level_domain: keyword client.user.domain: keyword client.user.email: keyword client.user.full_name: keyword client.user.group.domain: keyword client.user.group.id: keyword client.user.group.name: keyword client.user.hash: keyword client.user.id: keyword client.user.name: keyword client.user.risk.calculated_level: keyword client.user.risk.calculated_score: float client.user.risk.calculated_score_norm: float client.user.risk.static_level: keyword client.user.risk.static_score: float client.user.risk.static_score_norm: float cloud.account.id: keyword cloud.account.name: keyword cloud.availability_zone: keyword cloud.instance.id: keyword cloud.instance.name: keyword cloud.machine.type: keyword cloud.origin.account.id: keyword cloud.origin.account.name: keyword cloud.origin.availability_zone: keyword cloud.origin.instance.id: keyword cloud.origin.instance.name: keyword cloud.origin.machine.type: keyword cloud.origin.project.id: keyword cloud.origin.project.name: keyword cloud.origin.provider: keyword cloud.origin.region: keyword cloud.origin.service.name: keyword cloud.project.id: keyword cloud.project.name: keyword cloud.provider: keyword cloud.region: keyword cloud.service.name: keyword cloud.target.account.id: keyword cloud.target.account.name: keyword cloud.target.availability_zone: keyword cloud.target.instance.id: keyword cloud.target.instance.name: keyword cloud.target.machine.type: keyword cloud.target.project.id: keyword cloud.target.project.name: keyword cloud.target.provider: keyword cloud.target.region: keyword cloud.target.service.name: keyword container.cpu.usage: scaled_float container.disk.read.bytes: long container.disk.write.bytes: long container.id: keyword container.image.name: keyword container.memory.usage: scaled_float container.name: keyword container.network.egress.bytes: long container.network.ingress.bytes: long container.runtime: keyword data_stream.dataset: keyword data_stream.namespace: keyword data_stream.type: keyword destination.address: keyword destination.as.number: long destination.as.organization.name: keyword destination.bytes: long destination.domain: keyword destination.geo.city_name: keyword destination.geo.continent_code: keyword destination.geo.continent_name: keyword destination.geo.country_iso_code: keyword destination.geo.country_name: keyword destination.geo.location: geo_point destination.geo.name: keyword destination.geo.postal_code: keyword destination.geo.region_iso_code: keyword destination.geo.region_name: keyword destination.geo.timezone: keyword destination.ip: ip destination.mac: keyword destination.nat.ip: ip destination.nat.port: long destination.packets: long destination.port: long destination.registered_domain: keyword destination.subdomain: keyword destination.top_level_domain: keyword destination.user.domain: keyword destination.user.email: keyword destination.user.full_name: keyword destination.user.group.domain: keyword destination.user.group.id: keyword destination.user.group.name: keyword destination.user.hash: keyword destination.user.id: keyword destination.user.name: keyword destination.user.risk.calculated_level: keyword destination.user.risk.calculated_score: float destination.user.risk.calculated_score_norm: float destination.user.risk.static_level: keyword destination.user.risk.static_score: float destination.user.risk.static_score_norm: float dll.code_signature.digest_algorithm: keyword dll.code_signature.exists: boolean dll.code_signature.signing_id: keyword dll.code_signature.status: keyword dll.code_signature.subject_name: keyword dll.code_signature.team_id: keyword dll.code_signature.timestamp: date dll.code_signature.trusted: boolean dll.code_signature.valid: boolean dll.hash.md5: keyword dll.hash.sha1: keyword dll.hash.sha256: keyword dll.hash.sha384: keyword dll.hash.sha512: keyword dll.hash.ssdeep: keyword dll.hash.tlsh: keyword dll.name: keyword dll.path: keyword dll.pe.architecture: keyword dll.pe.company: keyword dll.pe.description: keyword dll.pe.file_version: keyword dll.pe.imphash: keyword dll.pe.original_file_name: keyword dll.pe.pehash: keyword dll.pe.product: keyword dns.id: keyword dns.op_code: keyword dns.question.class: keyword dns.question.name: keyword dns.question.registered_domain: keyword dns.question.subdomain: keyword dns.question.top_level_domain: keyword dns.question.type: keyword dns.response_code: keyword dns.type: keyword ecs.version: keyword email.content_type: keyword email.delivery_timestamp: date email.direction: keyword email.local_id: keyword email.message_id: keyword email.origination_timestamp: date email.sender.address: keyword email.subject: keyword email.x_mailer: keyword error.code: keyword error.id: keyword error.message: text error.stack_trace: keyword error.type: keyword event.action: keyword event.agent_id_status: keyword event.code: keyword event.created: date event.dataset: keyword event.duration: long event.end: date event.hash: keyword event.id: keyword event.ingested: date event.kind: keyword event.module: keyword event.original: keyword event.outcome: keyword event.provider: keyword event.reason: keyword event.reference: keyword event.risk_score: float event.risk_score_norm: float event.sequence: long event.severity: long event.start: date event.timezone: keyword event.url: keyword faas.coldstart: boolean faas.execution: keyword faas.id: keyword faas.name: keyword faas.version: keyword file.accessed: date file.code_signature.digest_algorithm: keyword file.code_signature.exists: boolean file.code_signature.signing_id: keyword file.code_signature.status: keyword file.code_signature.subject_name: keyword file.code_signature.team_id: keyword file.code_signature.timestamp: date file.code_signature.trusted: boolean file.code_signature.valid: boolean file.created: date file.ctime: date file.device: keyword file.directory: keyword file.drive_letter: keyword file.elf.architecture: keyword file.elf.byte_order: keyword file.elf.cpu_type: keyword file.elf.creation_date: date file.elf.header.abi_version: keyword file.elf.header.class: keyword file.elf.header.data: keyword file.elf.header.entrypoint: long file.elf.header.object_version: keyword file.elf.header.os_abi: keyword file.elf.header.type: keyword file.elf.header.version: keyword file.elf.telfhash: keyword file.extension: keyword file.fork_name: keyword file.gid: keyword file.group: keyword file.hash.md5: keyword file.hash.sha1: keyword file.hash.sha256: keyword file.hash.sha384: keyword file.hash.sha512: keyword file.hash.ssdeep: keyword file.hash.tlsh: keyword file.inode: keyword file.mime_type: keyword file.mode: keyword file.mtime: date file.name: keyword file.owner: keyword file.path: keyword file.pe.architecture: keyword file.pe.company: keyword file.pe.description: keyword file.pe.file_version: keyword file.pe.imphash: keyword file.pe.original_file_name: keyword file.pe.pehash: keyword file.pe.product: keyword file.size: long file.target_path: keyword file.type: keyword file.uid: keyword file.x509.issuer.distinguished_name: keyword file.x509.not_after: date file.x509.not_before: date file.x509.public_key_algorithm: keyword file.x509.public_key_curve: keyword file.x509.public_key_exponent: long file.x509.public_key_size: long file.x509.serial_number: keyword file.x509.signature_algorithm: keyword file.x509.subject.distinguished_name: keyword file.x509.version_number: keyword group.domain: keyword group.id: keyword group.name: keyword host.architecture: keyword host.boot.id: keyword host.cpu.usage: scaled_float host.disk.read.bytes: long host.disk.write.bytes: long host.domain: keyword host.geo.city_name: keyword host.geo.continent_code: keyword host.geo.continent_name: keyword host.geo.country_iso_code: keyword host.geo.country_name: keyword host.geo.location: geo_point host.geo.name: keyword host.geo.postal_code: keyword host.geo.region_iso_code: keyword host.geo.region_name: keyword host.geo.timezone: keyword host.hostname: keyword host.id: keyword host.name: keyword host.network.egress.bytes: long host.network.egress.packets: long host.network.ingress.bytes: long host.network.ingress.packets: long host.os.family: keyword host.os.full: keyword host.os.kernel: keyword host.os.name: keyword host.os.platform: keyword host.os.type: keyword host.os.version: keyword host.pid_ns_ino: keyword host.risk.calculated_level: keyword host.risk.calculated_score: float host.risk.calculated_score_norm: float host.risk.static_level: keyword host.risk.static_score: float host.risk.static_score_norm: float host.type: keyword host.uptime: long http.request.body.bytes: long http.request.body.content: keyword http.request.bytes: long http.request.id: keyword http.request.method: keyword http.request.mime_type: keyword http.request.referrer: keyword http.response.body.bytes: long http.response.body.content: keyword http.response.bytes: long http.response.mime_type: keyword http.response.status_code: long http.version: keyword log.file.path: keyword log.level: keyword log.logger: keyword log.origin.file.line: long log.origin.file.name: keyword log.origin.function: keyword message: text network.application: keyword network.bytes: long network.community_id: keyword network.direction: keyword network.forwarded_ip: ip network.iana_number: keyword network.name: keyword network.packets: long network.protocol: keyword network.transport: keyword network.type: keyword network.vlan.id: keyword network.vlan.name: keyword observer.geo.city_name: keyword observer.geo.continent_code: keyword observer.geo.continent_name: keyword observer.geo.country_iso_code: keyword observer.geo.country_name: keyword observer.geo.location: geo_point observer.geo.name: keyword observer.geo.postal_code: keyword observer.geo.region_iso_code: keyword observer.geo.region_name: keyword observer.geo.timezone: keyword observer.hostname: keyword observer.name: keyword observer.os.family: keyword observer.os.full: keyword observer.os.kernel: keyword observer.os.name: keyword observer.os.platform: keyword observer.os.type: keyword observer.os.version: keyword observer.product: keyword observer.serial_number: keyword observer.type: keyword observer.vendor: keyword observer.version: keyword orchestrator.api_version: keyword orchestrator.cluster.id: keyword orchestrator.cluster.name: keyword orchestrator.cluster.url: keyword orchestrator.cluster.version: keyword orchestrator.namespace: keyword orchestrator.organization: keyword orchestrator.resource.id: keyword orchestrator.resource.name: keyword orchestrator.resource.parent.type: keyword orchestrator.resource.type: keyword orchestrator.type: keyword organization.id: keyword organization.name: keyword package.architecture: keyword package.build_version: keyword package.checksum: keyword package.description: keyword package.install_scope: keyword package.installed: date package.license: keyword package.name: keyword package.path: keyword package.reference: keyword package.size: long package.type: keyword package.version: keyword process.args_count: long process.code_signature.digest_algorithm: keyword process.code_signature.exists: boolean process.code_signature.signing_id: keyword process.code_signature.status: keyword process.code_signature.subject_name: keyword process.code_signature.team_id: keyword process.code_signature.timestamp: date process.code_signature.trusted: boolean process.code_signature.valid: boolean process.command_line: keyword process.elf.architecture: keyword process.elf.byte_order: keyword process.elf.cpu_type: keyword process.elf.creation_date: date process.elf.header.abi_version: keyword process.elf.header.class: keyword process.elf.header.data: keyword process.elf.header.entrypoint: long process.elf.header.object_version: keyword process.elf.header.os_abi: keyword process.elf.header.type: keyword process.elf.header.version: keyword process.elf.telfhash: keyword process.end: date process.entity_id: keyword process.entry_leader.args_count: long process.entry_leader.attested_groups.name: keyword process.entry_leader.attested_user.id: keyword process.entry_leader.attested_user.name: keyword process.entry_leader.command_line: keyword process.entry_leader.entity_id: keyword process.entry_leader.entry_meta.source.ip: ip process.entry_leader.entry_meta.type: keyword process.entry_leader.executable: keyword process.entry_leader.group.id: keyword process.entry_leader.group.name: keyword process.entry_leader.interactive: boolean process.entry_leader.name: keyword process.entry_leader.parent.entity_id: keyword process.entry_leader.parent.pid: long process.entry_leader.parent.session_leader.entity_id: keyword process.entry_leader.parent.session_leader.pid: long process.entry_leader.parent.session_leader.start: date process.entry_leader.parent.start: date process.entry_leader.pid: long process.entry_leader.real_group.id: keyword process.entry_leader.real_group.name: keyword process.entry_leader.real_user.id: keyword process.entry_leader.real_user.name: keyword process.entry_leader.same_as_process: boolean process.entry_leader.saved_group.id: keyword process.entry_leader.saved_group.name: keyword process.entry_leader.saved_user.id: keyword process.entry_leader.saved_user.name: keyword process.entry_leader.start: date process.entry_leader.supplemental_groups.id: keyword process.entry_leader.supplemental_groups.name: keyword process.entry_leader.user.id: keyword process.entry_leader.user.name: keyword process.entry_leader.working_directory: keyword process.executable: keyword process.exit_code: long process.group_leader.args_count: long process.group_leader.command_line: keyword process.group_leader.entity_id: keyword process.group_leader.executable: keyword process.group_leader.group.id: keyword process.group_leader.group.name: keyword process.group_leader.interactive: boolean process.group_leader.name: keyword process.group_leader.pid: long process.group_leader.real_group.id: keyword process.group_leader.real_group.name: keyword process.group_leader.real_user.id: keyword process.group_leader.real_user.name: keyword process.group_leader.same_as_process: boolean process.group_leader.saved_group.id: keyword process.group_leader.saved_group.name: keyword process.group_leader.saved_user.id: keyword process.group_leader.saved_user.name: keyword process.group_leader.start: date process.group_leader.supplemental_groups.id: keyword process.group_leader.supplemental_groups.name: keyword process.group_leader.user.id: keyword process.group_leader.user.name: keyword process.group_leader.working_directory: keyword process.hash.md5: keyword process.hash.sha1: keyword process.hash.sha256: keyword process.hash.sha384: keyword process.hash.sha512: keyword process.hash.ssdeep: keyword process.hash.tlsh: keyword process.interactive: boolean process.name: keyword process.parent.args_count: long process.parent.code_signature.digest_algorithm: keyword process.parent.code_signature.exists: boolean process.parent.code_signature.signing_id: keyword process.parent.code_signature.status: keyword process.parent.code_signature.subject_name: keyword process.parent.code_signature.team_id: keyword process.parent.code_signature.timestamp: date process.parent.code_signature.trusted: boolean process.parent.code_signature.valid: boolean process.parent.command_line: keyword process.parent.elf.architecture: keyword process.parent.elf.byte_order: keyword process.parent.elf.cpu_type: keyword process.parent.elf.creation_date: date process.parent.elf.header.abi_version: keyword process.parent.elf.header.class: keyword process.parent.elf.header.data: keyword process.parent.elf.header.entrypoint: long process.parent.elf.header.object_version: keyword process.parent.elf.header.os_abi: keyword process.parent.elf.header.type: keyword process.parent.elf.header.version: keyword process.parent.elf.telfhash: keyword process.parent.end: date process.parent.entity_id: keyword process.parent.executable: keyword process.parent.exit_code: long process.parent.group.id: keyword process.parent.group.name: keyword process.parent.group_leader.entity_id: keyword process.parent.group_leader.pid: long process.parent.group_leader.start: date process.parent.hash.md5: keyword process.parent.hash.sha1: keyword process.parent.hash.sha256: keyword process.parent.hash.sha384: keyword process.parent.hash.sha512: keyword process.parent.hash.ssdeep: keyword process.parent.hash.tlsh: keyword process.parent.interactive: boolean process.parent.name: keyword process.parent.pe.architecture: keyword process.parent.pe.company: keyword process.parent.pe.description: keyword process.parent.pe.file_version: keyword process.parent.pe.imphash: keyword process.parent.pe.original_file_name: keyword process.parent.pe.pehash: keyword process.parent.pe.product: keyword process.parent.pgid: long process.parent.pid: long process.parent.real_group.id: keyword process.parent.real_group.name: keyword process.parent.real_user.id: keyword process.parent.real_user.name: keyword process.parent.saved_group.id: keyword process.parent.saved_group.name: keyword process.parent.saved_user.id: keyword process.parent.saved_user.name: keyword process.parent.start: date process.parent.supplemental_groups.id: keyword process.parent.supplemental_groups.name: keyword process.parent.thread.id: long process.parent.thread.name: keyword process.parent.title: keyword process.parent.uptime: long process.parent.user.id: keyword process.parent.user.name: keyword process.parent.working_directory: keyword process.pe.architecture: keyword process.pe.company: keyword process.pe.description: keyword process.pe.file_version: keyword process.pe.imphash: keyword process.pe.original_file_name: keyword process.pe.pehash: keyword process.pe.product: keyword process.pgid: long process.pid: long process.previous.args_count: long process.previous.executable: keyword process.real_group.id: keyword process.real_group.name: keyword process.real_user.id: keyword process.real_user.name: keyword process.saved_group.id: keyword process.saved_group.name: keyword process.saved_user.id: keyword process.saved_user.name: keyword process.session_leader.args_count: long process.session_leader.command_line: keyword process.session_leader.entity_id: keyword process.session_leader.executable: keyword process.session_leader.group.id: keyword process.session_leader.group.name: keyword process.session_leader.interactive: boolean process.session_leader.name: keyword process.session_leader.parent.entity_id: keyword process.session_leader.parent.pid: long process.session_leader.parent.session_leader.entity_id: keyword process.session_leader.parent.session_leader.pid: long process.session_leader.parent.session_leader.start: date process.session_leader.parent.start: date process.session_leader.pid: long process.session_leader.real_group.id: keyword process.session_leader.real_group.name: keyword process.session_leader.real_user.id: keyword process.session_leader.real_user.name: keyword process.session_leader.same_as_process: boolean process.session_leader.saved_group.id: keyword process.session_leader.saved_group.name: keyword process.session_leader.saved_user.id: keyword process.session_leader.saved_user.name: keyword process.session_leader.start: date process.session_leader.supplemental_groups.id: keyword process.session_leader.supplemental_groups.name: keyword process.session_leader.user.id: keyword process.session_leader.user.name: keyword process.session_leader.working_directory: keyword process.start: date process.supplemental_groups.id: keyword process.supplemental_groups.name: keyword process.thread.id: long process.thread.name: keyword process.title: keyword process.uptime: long process.user.id: keyword process.user.name: keyword process.working_directory: keyword registry.data.bytes: keyword registry.data.type: keyword registry.hive: keyword registry.key: keyword registry.path: keyword registry.value: keyword rule.category: keyword rule.description: keyword rule.id: keyword rule.license: keyword rule.name: keyword rule.reference: keyword rule.ruleset: keyword rule.uuid: keyword rule.version: keyword server.address: keyword server.as.number: long server.as.organization.name: keyword server.bytes: long server.domain: keyword server.geo.city_name: keyword server.geo.continent_code: keyword server.geo.continent_name: keyword server.geo.country_iso_code: keyword server.geo.country_name: keyword server.geo.location: geo_point server.geo.name: keyword server.geo.postal_code: keyword server.geo.region_iso_code: keyword server.geo.region_name: keyword server.geo.timezone: keyword server.ip: ip server.mac: keyword server.nat.ip: ip server.nat.port: long server.packets: long server.port: long server.registered_domain: keyword server.subdomain: keyword server.top_level_domain: keyword server.user.domain: keyword server.user.email: keyword server.user.full_name: keyword server.user.group.domain: keyword server.user.group.id: keyword server.user.group.name: keyword server.user.hash: keyword server.user.id: keyword server.user.name: keyword server.user.risk.calculated_level: keyword server.user.risk.calculated_score: float server.user.risk.calculated_score_norm: float server.user.risk.static_level: keyword server.user.risk.static_score: float server.user.risk.static_score_norm: float service.address: keyword service.environment: keyword service.ephemeral_id: keyword service.id: keyword service.name: keyword service.node.name: keyword service.node.role: keyword service.origin.address: keyword service.origin.environment: keyword service.origin.ephemeral_id: keyword service.origin.id: keyword service.origin.name: keyword service.origin.node.name: keyword service.origin.node.role: keyword service.origin.state: keyword service.origin.type: keyword service.origin.version: keyword service.state: keyword service.target.address: keyword service.target.environment: keyword service.target.ephemeral_id: keyword service.target.id: keyword service.target.name: keyword service.target.node.name: keyword service.target.node.role: keyword service.target.state: keyword service.target.type: keyword service.target.version: keyword service.type: keyword service.version: keyword source.address: keyword source.as.number: long source.as.organization.name: keyword source.bytes: long source.domain: keyword source.geo.city_name: keyword source.geo.continent_code: keyword source.geo.continent_name: keyword source.geo.country_iso_code: keyword source.geo.country_name: keyword source.geo.location: geo_point source.geo.name: keyword source.geo.postal_code: keyword source.geo.region_iso_code: keyword source.geo.region_name: keyword source.geo.timezone: keyword source.ip: ip source.mac: keyword source.nat.ip: ip source.nat.port: long source.packets: long source.port: long source.registered_domain: keyword source.subdomain: keyword source.top_level_domain: keyword source.user.domain: keyword source.user.email: keyword source.user.full_name: keyword source.user.group.domain: keyword source.user.group.id: keyword source.user.group.name: keyword source.user.hash: keyword source.user.id: keyword source.user.name: keyword source.user.risk.calculated_level: keyword source.user.risk.calculated_score: float source.user.risk.calculated_score_norm: float source.user.risk.static_level: keyword source.user.risk.static_score: float source.user.risk.static_score_norm: float span.id: keyword threat.feed.dashboard_id: keyword threat.feed.description: keyword threat.feed.name: keyword threat.feed.reference: keyword threat.framework: keyword threat.group.id: keyword threat.group.name: keyword threat.group.reference: keyword threat.indicator.as.number: long threat.indicator.as.organization.name: keyword threat.indicator.confidence: keyword threat.indicator.description: keyword threat.indicator.email.address: keyword threat.indicator.file.accessed: date threat.indicator.file.code_signature.digest_algorithm: keyword threat.indicator.file.code_signature.exists: boolean threat.indicator.file.code_signature.signing_id: keyword threat.indicator.file.code_signature.status: keyword threat.indicator.file.code_signature.subject_name: keyword threat.indicator.file.code_signature.team_id: keyword threat.indicator.file.code_signature.timestamp: date threat.indicator.file.code_signature.trusted: boolean threat.indicator.file.code_signature.valid: boolean threat.indicator.file.created: date threat.indicator.file.ctime: date threat.indicator.file.device: keyword threat.indicator.file.directory: keyword threat.indicator.file.drive_letter: keyword threat.indicator.file.elf.architecture: keyword threat.indicator.file.elf.byte_order: keyword threat.indicator.file.elf.cpu_type: keyword threat.indicator.file.elf.creation_date: date threat.indicator.file.elf.header.abi_version: keyword threat.indicator.file.elf.header.class: keyword threat.indicator.file.elf.header.data: keyword threat.indicator.file.elf.header.entrypoint: long threat.indicator.file.elf.header.object_version: keyword threat.indicator.file.elf.header.os_abi: keyword threat.indicator.file.elf.header.type: keyword threat.indicator.file.elf.header.version: keyword threat.indicator.file.elf.telfhash: keyword threat.indicator.file.extension: keyword threat.indicator.file.fork_name: keyword threat.indicator.file.gid: keyword threat.indicator.file.group: keyword threat.indicator.file.hash.md5: keyword threat.indicator.file.hash.sha1: keyword threat.indicator.file.hash.sha256: keyword threat.indicator.file.hash.sha384: keyword threat.indicator.file.hash.sha512: keyword threat.indicator.file.hash.ssdeep: keyword threat.indicator.file.hash.tlsh: keyword threat.indicator.file.inode: keyword threat.indicator.file.mime_type: keyword threat.indicator.file.mode: keyword threat.indicator.file.mtime: date threat.indicator.file.name: keyword threat.indicator.file.owner: keyword threat.indicator.file.path: keyword threat.indicator.file.pe.architecture: keyword threat.indicator.file.pe.company: keyword threat.indicator.file.pe.description: keyword threat.indicator.file.pe.file_version: keyword threat.indicator.file.pe.imphash: keyword threat.indicator.file.pe.original_file_name: keyword threat.indicator.file.pe.pehash: keyword threat.indicator.file.pe.product: keyword threat.indicator.file.size: long threat.indicator.file.target_path: keyword threat.indicator.file.type: keyword threat.indicator.file.uid: keyword threat.indicator.file.x509.issuer.distinguished_name: keyword threat.indicator.file.x509.not_after: date threat.indicator.file.x509.not_before: date threat.indicator.file.x509.public_key_algorithm: keyword threat.indicator.file.x509.public_key_curve: keyword threat.indicator.file.x509.public_key_exponent: long threat.indicator.file.x509.public_key_size: long threat.indicator.file.x509.serial_number: keyword threat.indicator.file.x509.signature_algorithm: keyword threat.indicator.file.x509.subject.distinguished_name: keyword threat.indicator.file.x509.version_number: keyword threat.indicator.first_seen: date threat.indicator.geo.city_name: keyword threat.indicator.geo.continent_code: keyword threat.indicator.geo.continent_name: keyword threat.indicator.geo.country_iso_code: keyword threat.indicator.geo.country_name: keyword threat.indicator.geo.location: geo_point threat.indicator.geo.name: keyword threat.indicator.geo.postal_code: keyword threat.indicator.geo.region_iso_code: keyword threat.indicator.geo.region_name: keyword threat.indicator.geo.timezone: keyword threat.indicator.ip: ip threat.indicator.last_seen: date threat.indicator.marking.tlp: keyword threat.indicator.modified_at: date threat.indicator.port: long threat.indicator.provider: keyword threat.indicator.reference: keyword threat.indicator.registry.data.bytes: keyword threat.indicator.registry.data.type: keyword threat.indicator.registry.hive: keyword threat.indicator.registry.key: keyword threat.indicator.registry.path: keyword threat.indicator.registry.value: keyword threat.indicator.scanner_stats: long threat.indicator.sightings: long threat.indicator.type: keyword threat.indicator.url.domain: keyword threat.indicator.url.extension: keyword threat.indicator.url.fragment: keyword threat.indicator.url.full: keyword threat.indicator.url.original: keyword threat.indicator.url.password: keyword threat.indicator.url.path: keyword threat.indicator.url.port: long threat.indicator.url.query: keyword threat.indicator.url.registered_domain: keyword threat.indicator.url.scheme: keyword threat.indicator.url.subdomain: keyword threat.indicator.url.top_level_domain: keyword threat.indicator.url.username: keyword threat.indicator.x509.issuer.distinguished_name: keyword threat.indicator.x509.not_after: date threat.indicator.x509.not_before: date threat.indicator.x509.public_key_algorithm: keyword threat.indicator.x509.public_key_curve: keyword threat.indicator.x509.public_key_exponent: long threat.indicator.x509.public_key_size: long threat.indicator.x509.serial_number: keyword threat.indicator.x509.signature_algorithm: keyword threat.indicator.x509.subject.distinguished_name: keyword threat.indicator.x509.version_number: keyword threat.software.id: keyword threat.software.name: keyword threat.software.reference: keyword threat.software.type: keyword tls.cipher: keyword tls.client.certificate: keyword tls.client.hash.md5: keyword tls.client.hash.sha1: keyword tls.client.hash.sha256: keyword tls.client.issuer: keyword tls.client.ja3: keyword tls.client.not_after: date tls.client.not_before: date tls.client.server_name: keyword tls.client.subject: keyword tls.client.x509.issuer.distinguished_name: keyword tls.client.x509.not_after: date tls.client.x509.not_before: date tls.client.x509.public_key_algorithm: keyword tls.client.x509.public_key_curve: keyword tls.client.x509.public_key_exponent: long tls.client.x509.public_key_size: long tls.client.x509.serial_number: keyword tls.client.x509.signature_algorithm: keyword tls.client.x509.subject.distinguished_name: keyword tls.client.x509.version_number: keyword tls.curve: keyword tls.established: boolean tls.next_protocol: keyword tls.resumed: boolean tls.server.certificate: keyword tls.server.hash.md5: keyword tls.server.hash.sha1: keyword tls.server.hash.sha256: keyword tls.server.issuer: keyword tls.server.ja3s: keyword tls.server.not_after: date tls.server.not_before: date tls.server.subject: keyword tls.server.x509.issuer.distinguished_name: keyword tls.server.x509.not_after: date tls.server.x509.not_before: date tls.server.x509.public_key_algorithm: keyword tls.server.x509.public_key_curve: keyword tls.server.x509.public_key_exponent: long tls.server.x509.public_key_size: long tls.server.x509.serial_number: keyword tls.server.x509.signature_algorithm: keyword tls.server.x509.subject.distinguished_name: keyword tls.server.x509.version_number: keyword tls.version: keyword tls.version_protocol: keyword trace.id: keyword transaction.id: keyword url.domain: keyword url.extension: keyword url.fragment: keyword url.full: keyword url.original: keyword url.password: keyword url.path: keyword url.port: long url.query: keyword url.registered_domain: keyword url.scheme: keyword url.subdomain: keyword url.top_level_domain: keyword url.username: keyword user.changes.domain: keyword user.changes.email: keyword user.changes.full_name: keyword user.changes.group.domain: keyword user.changes.group.id: keyword user.changes.group.name: keyword user.changes.hash: keyword user.changes.id: keyword user.changes.name: keyword user.changes.risk.calculated_level: keyword user.changes.risk.calculated_score: float user.changes.risk.calculated_score_norm: float user.changes.risk.static_level: keyword user.changes.risk.static_score: float user.changes.risk.static_score_norm: float user.domain: keyword user.effective.domain: keyword user.effective.email: keyword user.effective.full_name: keyword user.effective.group.domain: keyword user.effective.group.id: keyword user.effective.group.name: keyword user.effective.hash: keyword user.effective.id: keyword user.effective.name: keyword user.effective.risk.calculated_level: keyword user.effective.risk.calculated_score: float user.effective.risk.calculated_score_norm: float user.effective.risk.static_level: keyword user.effective.risk.static_score: float user.effective.risk.static_score_norm: float user.email: keyword user.full_name: keyword user.group.domain: keyword user.group.id: keyword user.group.name: keyword user.hash: keyword user.id: keyword user.name: keyword user.risk.calculated_level: keyword user.risk.calculated_score: float user.risk.calculated_score_norm: float user.risk.static_level: keyword user.risk.static_score: float user.risk.static_score_norm: float user.target.domain: keyword user.target.email: keyword user.target.full_name: keyword user.target.group.domain: keyword user.target.group.id: keyword user.target.group.name: keyword user.target.hash: keyword user.target.id: keyword user.target.name: keyword user.target.risk.calculated_level: keyword user.target.risk.calculated_score: float user.target.risk.calculated_score_norm: float user.target.risk.static_level: keyword user.target.risk.static_score: float user.target.risk.static_score_norm: float user_agent.device.name: keyword user_agent.name: keyword user_agent.original: keyword user_agent.os.family: keyword user_agent.os.full: keyword user_agent.os.kernel: keyword user_agent.os.name: keyword user_agent.os.platform: keyword user_agent.os.type: keyword user_agent.os.version: keyword user_agent.version: keyword vulnerability.classification: keyword vulnerability.description: keyword vulnerability.enumeration: keyword vulnerability.id: keyword vulnerability.reference: keyword vulnerability.report_id: keyword vulnerability.scanner.vendor: keyword vulnerability.score.base: float vulnerability.score.environmental: float vulnerability.score.temporal: float vulnerability.score.version: keyword vulnerability.severity: keyword wazuh.queue: long wazuh.location: text wazuh.message: text wazuh.origin: keyword wazuh.registered_ip: keyword wazuh.source: keyword url: url user_agent: useragent ``` > Results > > Valid YAML!
Get the already loaded schema by its version as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/wazuh-logpar-types/0", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/wazuh-logpar-types/0', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/wazuh-logpar-types/0', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"name: schema/wazuh-logpar-types/0\nfields:\n \"@timestamp\": date\n agent.build.original: keyword\n agent.ephemeral_id: keyword\n agent.id: keyword\n agent.name: keyword\n agent.type: keyword\n agent.version: keyword\n client.address: keyword\n client.as.number: long\n client.as.organization.name: keyword\n client.bytes: long\n client.domain: keyword\n client.geo.city_name: keyword\n client.geo.continent_code: keyword\n client.geo.continent_name: keyword\n client.geo.country_iso_code: keyword\n client.geo.country_name: keyword\n client.geo.location: geo_point\n client.geo.name: keyword\n client.geo.postal_code: keyword\n client.geo.region_iso_code: keyword\n client.geo.region_name: keyword\n client.geo.timezone: keyword\n client.ip: ip\n client.mac: keyword\n client.nat.ip: ip\n client.nat.port: long\n client.packets: long\n client.port: long\n client.registered_domain: keyword\n client.subdomain: keyword\n client.top_level_domain: keyword\n client.user.domain: keyword\n client.user.email: keyword\n client.user.full_name: keyword\n client.user.group.domain: keyword\n client.user.group.id: keyword\n client.user.group.name: keyword\n client.user.hash: keyword\n client.user.id: keyword\n client.user.name: keyword\n client.user.risk.calculated_level: keyword\n client.user.risk.calculated_score: float\n client.user.risk.calculated_score_norm: float\n client.user.risk.static_level: keyword\n client.user.risk.static_score: float\n client.user.risk.static_score_norm: float\n cloud.account.id: keyword\n cloud.account.name: keyword\n cloud.availability_zone: keyword\n cloud.instance.id: keyword\n cloud.instance.name: keyword\n cloud.machine.type: keyword\n cloud.origin.account.id: keyword\n cloud.origin.account.name: keyword\n cloud.origin.availability_zone: keyword\n cloud.origin.instance.id: keyword\n cloud.origin.instance.name: keyword\n cloud.origin.machine.type: keyword\n cloud.origin.project.id: keyword\n cloud.origin.project.name: keyword\n cloud.origin.provider: keyword\n cloud.origin.region: keyword\n cloud.origin.service.name: keyword\n cloud.project.id: keyword\n cloud.project.name: keyword\n cloud.provider: keyword\n cloud.region: keyword\n cloud.service.name: keyword\n cloud.target.account.id: keyword\n cloud.target.account.name: keyword\n cloud.target.availability_zone: keyword\n cloud.target.instance.id: keyword\n cloud.target.instance.name: keyword\n cloud.target.machine.type: keyword\n cloud.target.project.id: keyword\n cloud.target.project.name: keyword\n cloud.target.provider: keyword\n cloud.target.region: keyword\n cloud.target.service.name: keyword\n container.cpu.usage: scaled_float\n container.disk.read.bytes: long\n container.disk.write.bytes: long\n container.id: keyword\n container.image.name: keyword\n container.memory.usage: scaled_float\n container.name: keyword\n container.network.egress.bytes: long\n container.network.ingress.bytes: long\n container.runtime: keyword\n data_stream.dataset: keyword\n data_stream.namespace: keyword\n data_stream.type: keyword\n destination.address: keyword\n destination.as.number: long\n destination.as.organization.name: keyword\n destination.bytes: long\n destination.domain: keyword\n destination.geo.city_name: keyword\n destination.geo.continent_code: keyword\n destination.geo.continent_name: keyword\n destination.geo.country_iso_code: keyword\n destination.geo.country_name: keyword\n destination.geo.location: geo_point\n destination.geo.name: keyword\n destination.geo.postal_code: keyword\n destination.geo.region_iso_code: keyword\n destination.geo.region_name: keyword\n destination.geo.timezone: keyword\n destination.ip: ip\n destination.mac: keyword\n destination.nat.ip: ip\n destination.nat.port: long\n destination.packets: long\n destination.port: long\n destination.registered_domain: keyword\n destination.subdomain: keyword\n destination.top_level_domain: keyword\n destination.user.domain: keyword\n destination.user.email: keyword\n destination.user.full_name: keyword\n destination.user.group.domain: keyword\n destination.user.group.id: keyword\n destination.user.group.name: keyword\n destination.user.hash: keyword\n destination.user.id: keyword\n destination.user.name: keyword\n destination.user.risk.calculated_level: keyword\n destination.user.risk.calculated_score: float\n destination.user.risk.calculated_score_norm: float\n destination.user.risk.static_level: keyword\n destination.user.risk.static_score: float\n destination.user.risk.static_score_norm: float\n dll.code_signature.digest_algorithm: keyword\n dll.code_signature.exists: boolean\n dll.code_signature.signing_id: keyword\n dll.code_signature.status: keyword\n dll.code_signature.subject_name: keyword\n dll.code_signature.team_id: keyword\n dll.code_signature.timestamp: date\n dll.code_signature.trusted: boolean\n dll.code_signature.valid: boolean\n dll.hash.md5: keyword\n dll.hash.sha1: keyword\n dll.hash.sha256: keyword\n dll.hash.sha384: keyword\n dll.hash.sha512: keyword\n dll.hash.ssdeep: keyword\n dll.hash.tlsh: keyword\n dll.name: keyword\n dll.path: keyword\n dll.pe.architecture: keyword\n dll.pe.company: keyword\n dll.pe.description: keyword\n dll.pe.file_version: keyword\n dll.pe.imphash: keyword\n dll.pe.original_file_name: keyword\n dll.pe.pehash: keyword\n dll.pe.product: keyword\n dns.id: keyword\n dns.op_code: keyword\n dns.question.class: keyword\n dns.question.name: keyword\n dns.question.registered_domain: keyword\n dns.question.subdomain: keyword\n dns.question.top_level_domain: keyword\n dns.question.type: keyword\n dns.response_code: keyword\n dns.type: keyword\n ecs.version: keyword\n email.content_type: keyword\n email.delivery_timestamp: date\n email.direction: keyword\n email.local_id: keyword\n email.message_id: keyword\n email.origination_timestamp: date\n email.sender.address: keyword\n email.subject: keyword\n email.x_mailer: keyword\n error.code: keyword\n error.id: keyword\n error.message: text\n error.stack_trace: keyword\n error.type: keyword\n event.action: keyword\n event.agent_id_status: keyword\n event.code: keyword\n event.created: date\n event.dataset: keyword\n event.duration: long\n event.end: date\n event.hash: keyword\n event.id: keyword\n event.ingested: date\n event.kind: keyword\n event.module: keyword\n event.original: keyword\n event.outcome: keyword\n event.provider: keyword\n event.reason: keyword\n event.reference: keyword\n event.risk_score: float\n event.risk_score_norm: float\n event.sequence: long\n event.severity: long\n event.start: date\n event.timezone: keyword\n event.url: keyword\n faas.coldstart: boolean\n faas.execution: keyword\n faas.id: keyword\n faas.name: keyword\n faas.version: keyword\n file.accessed: date\n file.code_signature.digest_algorithm: keyword\n file.code_signature.exists: boolean\n file.code_signature.signing_id: keyword\n file.code_signature.status: keyword\n file.code_signature.subject_name: keyword\n file.code_signature.team_id: keyword\n file.code_signature.timestamp: date\n file.code_signature.trusted: boolean\n file.code_signature.valid: boolean\n file.created: date\n file.ctime: date\n file.device: keyword\n file.directory: keyword\n file.drive_letter: keyword\n file.elf.architecture: keyword\n file.elf.byte_order: keyword\n file.elf.cpu_type: keyword\n file.elf.creation_date: date\n file.elf.header.abi_version: keyword\n file.elf.header.class: keyword\n file.elf.header.data: keyword\n file.elf.header.entrypoint: long\n file.elf.header.object_version: keyword\n file.elf.header.os_abi: keyword\n file.elf.header.type: keyword\n file.elf.header.version: keyword\n file.elf.telfhash: keyword\n file.extension: keyword\n file.fork_name: keyword\n file.gid: keyword\n file.group: keyword\n file.hash.md5: keyword\n file.hash.sha1: keyword\n file.hash.sha256: keyword\n file.hash.sha384: keyword\n file.hash.sha512: keyword\n file.hash.ssdeep: keyword\n file.hash.tlsh: keyword\n file.inode: keyword\n file.mime_type: keyword\n file.mode: keyword\n file.mtime: date\n file.name: keyword\n file.owner: keyword\n file.path: keyword\n file.pe.architecture: keyword\n file.pe.company: keyword\n file.pe.description: keyword\n file.pe.file_version: keyword\n file.pe.imphash: keyword\n file.pe.original_file_name: keyword\n file.pe.pehash: keyword\n file.pe.product: keyword\n file.size: long\n file.target_path: keyword\n file.type: keyword\n file.uid: keyword\n file.x509.issuer.distinguished_name: keyword\n file.x509.not_after: date\n file.x509.not_before: date\n file.x509.public_key_algorithm: keyword\n file.x509.public_key_curve: keyword\n file.x509.public_key_exponent: long\n file.x509.public_key_size: long\n file.x509.serial_number: keyword\n file.x509.signature_algorithm: keyword\n file.x509.subject.distinguished_name: keyword\n file.x509.version_number: keyword\n group.domain: keyword\n group.id: keyword\n group.name: keyword\n host.architecture: keyword\n host.boot.id: keyword\n host.cpu.usage: scaled_float\n host.disk.read.bytes: long\n host.disk.write.bytes: long\n host.domain: keyword\n host.geo.city_name: keyword\n host.geo.continent_code: keyword\n host.geo.continent_name: keyword\n host.geo.country_iso_code: keyword\n host.geo.country_name: keyword\n host.geo.location: geo_point\n host.geo.name: keyword\n host.geo.postal_code: keyword\n host.geo.region_iso_code: keyword\n host.geo.region_name: keyword\n host.geo.timezone: keyword\n host.hostname: keyword\n host.id: keyword\n host.name: keyword\n host.network.egress.bytes: long\n host.network.egress.packets: long\n host.network.ingress.bytes: long\n host.network.ingress.packets: long\n host.os.family: keyword\n host.os.full: keyword\n host.os.kernel: keyword\n host.os.name: keyword\n host.os.platform: keyword\n host.os.type: keyword\n host.os.version: keyword\n host.pid_ns_ino: keyword\n host.risk.calculated_level: keyword\n host.risk.calculated_score: float\n host.risk.calculated_score_norm: float\n host.risk.static_level: keyword\n host.risk.static_score: float\n host.risk.static_score_norm: float\n host.type: keyword\n host.uptime: long\n http.request.body.bytes: long\n http.request.body.content: keyword\n http.request.bytes: long\n http.request.id: keyword\n http.request.method: keyword\n http.request.mime_type: keyword\n http.request.referrer: keyword\n http.response.body.bytes: long\n http.response.body.content: keyword\n http.response.bytes: long\n http.response.mime_type: keyword\n http.response.status_code: long\n http.version: keyword\n log.file.path: keyword\n log.level: keyword\n log.logger: keyword\n log.origin.file.line: long\n log.origin.file.name: keyword\n log.origin.function: keyword\n message: text\n network.application: keyword\n network.bytes: long\n network.community_id: keyword\n network.direction: keyword\n network.forwarded_ip: ip\n network.iana_number: keyword\n network.name: keyword\n network.packets: long\n network.protocol: keyword\n network.transport: keyword\n network.type: keyword\n network.vlan.id: keyword\n network.vlan.name: keyword\n observer.geo.city_name: keyword\n observer.geo.continent_code: keyword\n observer.geo.continent_name: keyword\n observer.geo.country_iso_code: keyword\n observer.geo.country_name: keyword\n observer.geo.location: geo_point\n observer.geo.name: keyword\n observer.geo.postal_code: keyword\n observer.geo.region_iso_code: keyword\n observer.geo.region_name: keyword\n observer.geo.timezone: keyword\n observer.hostname: keyword\n observer.name: keyword\n observer.os.family: keyword\n observer.os.full: keyword\n observer.os.kernel: keyword\n observer.os.name: keyword\n observer.os.platform: keyword\n observer.os.type: keyword\n observer.os.version: keyword\n observer.product: keyword\n observer.serial_number: keyword\n observer.type: keyword\n observer.vendor: keyword\n observer.version: keyword\n orchestrator.api_version: keyword\n orchestrator.cluster.id: keyword\n orchestrator.cluster.name: keyword\n orchestrator.cluster.url: keyword\n orchestrator.cluster.version: keyword\n orchestrator.namespace: keyword\n orchestrator.organization: keyword\n orchestrator.resource.id: keyword\n orchestrator.resource.name: keyword\n orchestrator.resource.parent.type: keyword\n orchestrator.resource.type: keyword\n orchestrator.type: keyword\n organization.id: keyword\n organization.name: keyword\n package.architecture: keyword\n package.build_version: keyword\n package.checksum: keyword\n package.description: keyword\n package.install_scope: keyword\n package.installed: date\n package.license: keyword\n package.name: keyword\n package.path: keyword\n package.reference: keyword\n package.size: long\n package.type: keyword\n package.version: keyword\n process.args_count: long\n process.code_signature.digest_algorithm: keyword\n process.code_signature.exists: boolean\n process.code_signature.signing_id: keyword\n process.code_signature.status: keyword\n process.code_signature.subject_name: keyword\n process.code_signature.team_id: keyword\n process.code_signature.timestamp: date\n process.code_signature.trusted: boolean\n process.code_signature.valid: boolean\n process.command_line: keyword\n process.elf.architecture: keyword\n process.elf.byte_order: keyword\n process.elf.cpu_type: keyword\n process.elf.creation_date: date\n process.elf.header.abi_version: keyword\n process.elf.header.class: keyword\n process.elf.header.data: keyword\n process.elf.header.entrypoint: long\n process.elf.header.object_version: keyword\n process.elf.header.os_abi: keyword\n process.elf.header.type: keyword\n process.elf.header.version: keyword\n process.elf.telfhash: keyword\n process.end: date\n process.entity_id: keyword\n process.entry_leader.args_count: long\n process.entry_leader.attested_groups.name: keyword\n process.entry_leader.attested_user.id: keyword\n process.entry_leader.attested_user.name: keyword\n process.entry_leader.command_line: keyword\n process.entry_leader.entity_id: keyword\n process.entry_leader.entry_meta.source.ip: ip\n process.entry_leader.entry_meta.type: keyword\n process.entry_leader.executable: keyword\n process.entry_leader.group.id: keyword\n process.entry_leader.group.name: keyword\n process.entry_leader.interactive: boolean\n process.entry_leader.name: keyword\n process.entry_leader.parent.entity_id: keyword\n process.entry_leader.parent.pid: long\n process.entry_leader.parent.session_leader.entity_id: keyword\n process.entry_leader.parent.session_leader.pid: long\n process.entry_leader.parent.session_leader.start: date\n process.entry_leader.parent.start: date\n process.entry_leader.pid: long\n process.entry_leader.real_group.id: keyword\n process.entry_leader.real_group.name: keyword\n process.entry_leader.real_user.id: keyword\n process.entry_leader.real_user.name: keyword\n process.entry_leader.same_as_process: boolean\n process.entry_leader.saved_group.id: keyword\n process.entry_leader.saved_group.name: keyword\n process.entry_leader.saved_user.id: keyword\n process.entry_leader.saved_user.name: keyword\n process.entry_leader.start: date\n process.entry_leader.supplemental_groups.id: keyword\n process.entry_leader.supplemental_groups.name: keyword\n process.entry_leader.user.id: keyword\n process.entry_leader.user.name: keyword\n process.entry_leader.working_directory: keyword\n process.executable: keyword\n process.exit_code: long\n process.group_leader.args_count: long\n process.group_leader.command_line: keyword\n process.group_leader.entity_id: keyword\n process.group_leader.executable: keyword\n process.group_leader.group.id: keyword\n process.group_leader.group.name: keyword\n process.group_leader.interactive: boolean\n process.group_leader.name: keyword\n process.group_leader.pid: long\n process.group_leader.real_group.id: keyword\n process.group_leader.real_group.name: keyword\n process.group_leader.real_user.id: keyword\n process.group_leader.real_user.name: keyword\n process.group_leader.same_as_process: boolean\n process.group_leader.saved_group.id: keyword\n process.group_leader.saved_group.name: keyword\n process.group_leader.saved_user.id: keyword\n process.group_leader.saved_user.name: keyword\n process.group_leader.start: date\n process.group_leader.supplemental_groups.id: keyword\n process.group_leader.supplemental_groups.name: keyword\n process.group_leader.user.id: keyword\n process.group_leader.user.name: keyword\n process.group_leader.working_directory: keyword\n process.hash.md5: keyword\n process.hash.sha1: keyword\n process.hash.sha256: keyword\n process.hash.sha384: keyword\n process.hash.sha512: keyword\n process.hash.ssdeep: keyword\n process.hash.tlsh: keyword\n process.interactive: boolean\n process.name: keyword\n process.parent.args_count: long\n process.parent.code_signature.digest_algorithm: keyword\n process.parent.code_signature.exists: boolean\n process.parent.code_signature.signing_id: keyword\n process.parent.code_signature.status: keyword\n process.parent.code_signature.subject_name: keyword\n process.parent.code_signature.team_id: keyword\n process.parent.code_signature.timestamp: date\n process.parent.code_signature.trusted: boolean\n process.parent.code_signature.valid: boolean\n process.parent.command_line: keyword\n process.parent.elf.architecture: keyword\n process.parent.elf.byte_order: keyword\n process.parent.elf.cpu_type: keyword\n process.parent.elf.creation_date: date\n process.parent.elf.header.abi_version: keyword\n process.parent.elf.header.class: keyword\n process.parent.elf.header.data: keyword\n process.parent.elf.header.entrypoint: long\n process.parent.elf.header.object_version: keyword\n process.parent.elf.header.os_abi: keyword\n process.parent.elf.header.type: keyword\n process.parent.elf.header.version: keyword\n process.parent.elf.telfhash: keyword\n process.parent.end: date\n process.parent.entity_id: keyword\n process.parent.executable: keyword\n process.parent.exit_code: long\n process.parent.group.id: keyword\n process.parent.group.name: keyword\n process.parent.group_leader.entity_id: keyword\n process.parent.group_leader.pid: long\n process.parent.group_leader.start: date\n process.parent.hash.md5: keyword\n process.parent.hash.sha1: keyword\n process.parent.hash.sha256: keyword\n process.parent.hash.sha384: keyword\n process.parent.hash.sha512: keyword\n process.parent.hash.ssdeep: keyword\n process.parent.hash.tlsh: keyword\n process.parent.interactive: boolean\n process.parent.name: keyword\n process.parent.pe.architecture: keyword\n process.parent.pe.company: keyword\n process.parent.pe.description: keyword\n process.parent.pe.file_version: keyword\n process.parent.pe.imphash: keyword\n process.parent.pe.original_file_name: keyword\n process.parent.pe.pehash: keyword\n process.parent.pe.product: keyword\n process.parent.pgid: long\n process.parent.pid: long\n process.parent.real_group.id: keyword\n process.parent.real_group.name: keyword\n process.parent.real_user.id: keyword\n process.parent.real_user.name: keyword\n process.parent.saved_group.id: keyword\n process.parent.saved_group.name: keyword\n process.parent.saved_user.id: keyword\n process.parent.saved_user.name: keyword\n process.parent.start: date\n process.parent.supplemental_groups.id: keyword\n process.parent.supplemental_groups.name: keyword\n process.parent.thread.id: long\n process.parent.thread.name: keyword\n process.parent.title: keyword\n process.parent.uptime: long\n process.parent.user.id: keyword\n process.parent.user.name: keyword\n process.parent.working_directory: keyword\n process.pe.architecture: keyword\n process.pe.company: keyword\n process.pe.description: keyword\n process.pe.file_version: keyword\n process.pe.imphash: keyword\n process.pe.original_file_name: keyword\n process.pe.pehash: keyword\n process.pe.product: keyword\n process.pgid: long\n process.pid: long\n process.previous.args_count: long\n process.previous.executable: keyword\n process.real_group.id: keyword\n process.real_group.name: keyword\n process.real_user.id: keyword\n process.real_user.name: keyword\n process.saved_group.id: keyword\n process.saved_group.name: keyword\n process.saved_user.id: keyword\n process.saved_user.name: keyword\n process.session_leader.args_count: long\n process.session_leader.command_line: keyword\n process.session_leader.entity_id: keyword\n process.session_leader.executable: keyword\n process.session_leader.group.id: keyword\n process.session_leader.group.name: keyword\n process.session_leader.interactive: boolean\n process.session_leader.name: keyword\n process.session_leader.parent.entity_id: keyword\n process.session_leader.parent.pid: long\n process.session_leader.parent.session_leader.entity_id: keyword\n process.session_leader.parent.session_leader.pid: long\n process.session_leader.parent.session_leader.start: date\n process.session_leader.parent.start: date\n process.session_leader.pid: long\n process.session_leader.real_group.id: keyword\n process.session_leader.real_group.name: keyword\n process.session_leader.real_user.id: keyword\n process.session_leader.real_user.name: keyword\n process.session_leader.same_as_process: boolean\n process.session_leader.saved_group.id: keyword\n process.session_leader.saved_group.name: keyword\n process.session_leader.saved_user.id: keyword\n process.session_leader.saved_user.name: keyword\n process.session_leader.start: date\n process.session_leader.supplemental_groups.id: keyword\n process.session_leader.supplemental_groups.name: keyword\n process.session_leader.user.id: keyword\n process.session_leader.user.name: keyword\n process.session_leader.working_directory: keyword\n process.start: date\n process.supplemental_groups.id: keyword\n process.supplemental_groups.name: keyword\n process.thread.id: long\n process.thread.name: keyword\n process.title: keyword\n process.uptime: long\n process.user.id: keyword\n process.user.name: keyword\n process.working_directory: keyword\n registry.data.bytes: keyword\n registry.data.type: keyword\n registry.hive: keyword\n registry.key: keyword\n registry.path: keyword\n registry.value: keyword\n rule.category: keyword\n rule.description: keyword\n rule.id: keyword\n rule.license: keyword\n rule.name: keyword\n rule.reference: keyword\n rule.ruleset: keyword\n rule.uuid: keyword\n rule.version: keyword\n server.address: keyword\n server.as.number: long\n server.as.organization.name: keyword\n server.bytes: long\n server.domain: keyword\n server.geo.city_name: keyword\n server.geo.continent_code: keyword\n server.geo.continent_name: keyword\n server.geo.country_iso_code: keyword\n server.geo.country_name: keyword\n server.geo.location: geo_point\n server.geo.name: keyword\n server.geo.postal_code: keyword\n server.geo.region_iso_code: keyword\n server.geo.region_name: keyword\n server.geo.timezone: keyword\n server.ip: ip\n server.mac: keyword\n server.nat.ip: ip\n server.nat.port: long\n server.packets: long\n server.port: long\n server.registered_domain: keyword\n server.subdomain: keyword\n server.top_level_domain: keyword\n server.user.domain: keyword\n server.user.email: keyword\n server.user.full_name: keyword\n server.user.group.domain: keyword\n server.user.group.id: keyword\n server.user.group.name: keyword\n server.user.hash: keyword\n server.user.id: keyword\n server.user.name: keyword\n server.user.risk.calculated_level: keyword\n server.user.risk.calculated_score: float\n server.user.risk.calculated_score_norm: float\n server.user.risk.static_level: keyword\n server.user.risk.static_score: float\n server.user.risk.static_score_norm: float\n service.address: keyword\n service.environment: keyword\n service.ephemeral_id: keyword\n service.id: keyword\n service.name: keyword\n service.node.name: keyword\n service.node.role: keyword\n service.origin.address: keyword\n service.origin.environment: keyword\n service.origin.ephemeral_id: keyword\n service.origin.id: keyword\n service.origin.name: keyword\n service.origin.node.name: keyword\n service.origin.node.role: keyword\n service.origin.state: keyword\n service.origin.type: keyword\n service.origin.version: keyword\n service.state: keyword\n service.target.address: keyword\n service.target.environment: keyword\n service.target.ephemeral_id: keyword\n service.target.id: keyword\n service.target.name: keyword\n service.target.node.name: keyword\n service.target.node.role: keyword\n service.target.state: keyword\n service.target.type: keyword\n service.target.version: keyword\n service.type: keyword\n service.version: keyword\n source.address: keyword\n source.as.number: long\n source.as.organization.name: keyword\n source.bytes: long\n source.domain: keyword\n source.geo.city_name: keyword\n source.geo.continent_code: keyword\n source.geo.continent_name: keyword\n source.geo.country_iso_code: keyword\n source.geo.country_name: keyword\n source.geo.location: geo_point\n source.geo.name: keyword\n source.geo.postal_code: keyword\n source.geo.region_iso_code: keyword\n source.geo.region_name: keyword\n source.geo.timezone: keyword\n source.ip: ip\n source.mac: keyword\n source.nat.ip: ip\n source.nat.port: long\n source.packets: long\n source.port: long\n source.registered_domain: keyword\n source.subdomain: keyword\n source.top_level_domain: keyword\n source.user.domain: keyword\n source.user.email: keyword\n source.user.full_name: keyword\n source.user.group.domain: keyword\n source.user.group.id: keyword\n source.user.group.name: keyword\n source.user.hash: keyword\n source.user.id: keyword\n source.user.name: keyword\n source.user.risk.calculated_level: keyword\n source.user.risk.calculated_score: float\n source.user.risk.calculated_score_norm: float\n source.user.risk.static_level: keyword\n source.user.risk.static_score: float\n source.user.risk.static_score_norm: float\n span.id: keyword\n threat.feed.dashboard_id: keyword\n threat.feed.description: keyword\n threat.feed.name: keyword\n threat.feed.reference: keyword\n threat.framework: keyword\n threat.group.id: keyword\n threat.group.name: keyword\n threat.group.reference: keyword\n threat.indicator.as.number: long\n threat.indicator.as.organization.name: keyword\n threat.indicator.confidence: keyword\n threat.indicator.description: keyword\n threat.indicator.email.address: keyword\n threat.indicator.file.accessed: date\n threat.indicator.file.code_signature.digest_algorithm: keyword\n threat.indicator.file.code_signature.exists: boolean\n threat.indicator.file.code_signature.signing_id: keyword\n threat.indicator.file.code_signature.status: keyword\n threat.indicator.file.code_signature.subject_name: keyword\n threat.indicator.file.code_signature.team_id: keyword\n threat.indicator.file.code_signature.timestamp: date\n threat.indicator.file.code_signature.trusted: boolean\n threat.indicator.file.code_signature.valid: boolean\n threat.indicator.file.created: date\n threat.indicator.file.ctime: date\n threat.indicator.file.device: keyword\n threat.indicator.file.directory: keyword\n threat.indicator.file.drive_letter: keyword\n threat.indicator.file.elf.architecture: keyword\n threat.indicator.file.elf.byte_order: keyword\n threat.indicator.file.elf.cpu_type: keyword\n threat.indicator.file.elf.creation_date: date\n threat.indicator.file.elf.header.abi_version: keyword\n threat.indicator.file.elf.header.class: keyword\n threat.indicator.file.elf.header.data: keyword\n threat.indicator.file.elf.header.entrypoint: long\n threat.indicator.file.elf.header.object_version: keyword\n threat.indicator.file.elf.header.os_abi: keyword\n threat.indicator.file.elf.header.type: keyword\n threat.indicator.file.elf.header.version: keyword\n threat.indicator.file.elf.telfhash: keyword\n threat.indicator.file.extension: keyword\n threat.indicator.file.fork_name: keyword\n threat.indicator.file.gid: keyword\n threat.indicator.file.group: keyword\n threat.indicator.file.hash.md5: keyword\n threat.indicator.file.hash.sha1: keyword\n threat.indicator.file.hash.sha256: keyword\n threat.indicator.file.hash.sha384: keyword\n threat.indicator.file.hash.sha512: keyword\n threat.indicator.file.hash.ssdeep: keyword\n threat.indicator.file.hash.tlsh: keyword\n threat.indicator.file.inode: keyword\n threat.indicator.file.mime_type: keyword\n threat.indicator.file.mode: keyword\n threat.indicator.file.mtime: date\n threat.indicator.file.name: keyword\n threat.indicator.file.owner: keyword\n threat.indicator.file.path: keyword\n threat.indicator.file.pe.architecture: keyword\n threat.indicator.file.pe.company: keyword\n threat.indicator.file.pe.description: keyword\n threat.indicator.file.pe.file_version: keyword\n threat.indicator.file.pe.imphash: keyword\n threat.indicator.file.pe.original_file_name: keyword\n threat.indicator.file.pe.pehash: keyword\n threat.indicator.file.pe.product: keyword\n threat.indicator.file.size: long\n threat.indicator.file.target_path: keyword\n threat.indicator.file.type: keyword\n threat.indicator.file.uid: keyword\n threat.indicator.file.x509.issuer.distinguished_name: keyword\n threat.indicator.file.x509.not_after: date\n threat.indicator.file.x509.not_before: date\n threat.indicator.file.x509.public_key_algorithm: keyword\n threat.indicator.file.x509.public_key_curve: keyword\n threat.indicator.file.x509.public_key_exponent: long\n threat.indicator.file.x509.public_key_size: long\n threat.indicator.file.x509.serial_number: keyword\n threat.indicator.file.x509.signature_algorithm: keyword\n threat.indicator.file.x509.subject.distinguished_name: keyword\n threat.indicator.file.x509.version_number: keyword\n threat.indicator.first_seen: date\n threat.indicator.geo.city_name: keyword\n threat.indicator.geo.continent_code: keyword\n threat.indicator.geo.continent_name: keyword\n threat.indicator.geo.country_iso_code: keyword\n threat.indicator.geo.country_name: keyword\n threat.indicator.geo.location: geo_point\n threat.indicator.geo.name: keyword\n threat.indicator.geo.postal_code: keyword\n threat.indicator.geo.region_iso_code: keyword\n threat.indicator.geo.region_name: keyword\n threat.indicator.geo.timezone: keyword\n threat.indicator.ip: ip\n threat.indicator.last_seen: date\n threat.indicator.marking.tlp: keyword\n threat.indicator.modified_at: date\n threat.indicator.port: long\n threat.indicator.provider: keyword\n threat.indicator.reference: keyword\n threat.indicator.registry.data.bytes: keyword\n threat.indicator.registry.data.type: keyword\n threat.indicator.registry.hive: keyword\n threat.indicator.registry.key: keyword\n threat.indicator.registry.path: keyword\n threat.indicator.registry.value: keyword\n threat.indicator.scanner_stats: long\n threat.indicator.sightings: long\n threat.indicator.type: keyword\n threat.indicator.url.domain: keyword\n threat.indicator.url.extension: keyword\n threat.indicator.url.fragment: keyword\n threat.indicator.url.full: keyword\n threat.indicator.url.original: keyword\n threat.indicator.url.password: keyword\n threat.indicator.url.path: keyword\n threat.indicator.url.port: long\n threat.indicator.url.query: keyword\n threat.indicator.url.registered_domain: keyword\n threat.indicator.url.scheme: keyword\n threat.indicator.url.subdomain: keyword\n threat.indicator.url.top_level_domain: keyword\n threat.indicator.url.username: keyword\n threat.indicator.x509.issuer.distinguished_name: keyword\n threat.indicator.x509.not_after: date\n threat.indicator.x509.not_before: date\n threat.indicator.x509.public_key_algorithm: keyword\n threat.indicator.x509.public_key_curve: keyword\n threat.indicator.x509.public_key_exponent: long\n threat.indicator.x509.public_key_size: long\n threat.indicator.x509.serial_number: keyword\n threat.indicator.x509.signature_algorithm: keyword\n threat.indicator.x509.subject.distinguished_name: keyword\n threat.indicator.x509.version_number: keyword\n threat.software.id: keyword\n threat.software.name: keyword\n threat.software.reference: keyword\n threat.software.type: keyword\n tls.cipher: keyword\n tls.client.certificate: keyword\n tls.client.hash.md5: keyword\n tls.client.hash.sha1: keyword\n tls.client.hash.sha256: keyword\n tls.client.issuer: keyword\n tls.client.ja3: keyword\n tls.client.not_after: date\n tls.client.not_before: date\n tls.client.server_name: keyword\n tls.client.subject: keyword\n tls.client.x509.issuer.distinguished_name: keyword\n tls.client.x509.not_after: date\n tls.client.x509.not_before: date\n tls.client.x509.public_key_algorithm: keyword\n tls.client.x509.public_key_curve: keyword\n tls.client.x509.public_key_exponent: long\n tls.client.x509.public_key_size: long\n tls.client.x509.serial_number: keyword\n tls.client.x509.signature_algorithm: keyword\n tls.client.x509.subject.distinguished_name: keyword\n tls.client.x509.version_number: keyword\n tls.curve: keyword\n tls.established: boolean\n tls.next_protocol: keyword\n tls.resumed: boolean\n tls.server.certificate: keyword\n tls.server.hash.md5: keyword\n tls.server.hash.sha1: keyword\n tls.server.hash.sha256: keyword\n tls.server.issuer: keyword\n tls.server.ja3s: keyword\n tls.server.not_after: date\n tls.server.not_before: date\n tls.server.subject: keyword\n tls.server.x509.issuer.distinguished_name: keyword\n tls.server.x509.not_after: date\n tls.server.x509.not_before: date\n tls.server.x509.public_key_algorithm: keyword\n tls.server.x509.public_key_curve: keyword\n tls.server.x509.public_key_exponent: long\n tls.server.x509.public_key_size: long\n tls.server.x509.serial_number: keyword\n tls.server.x509.signature_algorithm: keyword\n tls.server.x509.subject.distinguished_name: keyword\n tls.server.x509.version_number: keyword\n tls.version: keyword\n tls.version_protocol: keyword\n trace.id: keyword\n transaction.id: keyword\n url.domain: keyword\n url.extension: keyword\n url.fragment: keyword\n url.full: keyword\n url.original: keyword\n url.password: keyword\n url.path: keyword\n url.port: long\n url.query: keyword\n url.registered_domain: keyword\n url.scheme: keyword\n url.subdomain: keyword\n url.top_level_domain: keyword\n url.username: keyword\n user.changes.domain: keyword\n user.changes.email: keyword\n user.changes.full_name: keyword\n user.changes.group.domain: keyword\n user.changes.group.id: keyword\n user.changes.group.name: keyword\n user.changes.hash: keyword\n user.changes.id: keyword\n user.changes.name: keyword\n user.changes.risk.calculated_level: keyword\n user.changes.risk.calculated_score: float\n user.changes.risk.calculated_score_norm: float\n user.changes.risk.static_level: keyword\n user.changes.risk.static_score: float\n user.changes.risk.static_score_norm: float\n user.domain: keyword\n user.effective.domain: keyword\n user.effective.email: keyword\n user.effective.full_name: keyword\n user.effective.group.domain: keyword\n user.effective.group.id: keyword\n user.effective.group.name: keyword\n user.effective.hash: keyword\n user.effective.id: keyword\n user.effective.name: keyword\n user.effective.risk.calculated_level: keyword\n user.effective.risk.calculated_score: float\n user.effective.risk.calculated_score_norm: float\n user.effective.risk.static_level: keyword\n user.effective.risk.static_score: float\n user.effective.risk.static_score_norm: float\n user.email: keyword\n user.full_name: keyword\n user.group.domain: keyword\n user.group.id: keyword\n user.group.name: keyword\n user.hash: keyword\n user.id: keyword\n user.name: keyword\n user.risk.calculated_level: keyword\n user.risk.calculated_score: float\n user.risk.calculated_score_norm: float\n user.risk.static_level: keyword\n user.risk.static_score: float\n user.risk.static_score_norm: float\n user.target.domain: keyword\n user.target.email: keyword\n user.target.full_name: keyword\n user.target.group.domain: keyword\n user.target.group.id: keyword\n user.target.group.name: keyword\n user.target.hash: keyword\n user.target.id: keyword\n user.target.name: keyword\n user.target.risk.calculated_level: keyword\n user.target.risk.calculated_score: float\n user.target.risk.calculated_score_norm: float\n user.target.risk.static_level: keyword\n user.target.risk.static_score: float\n user.target.risk.static_score_norm: float\n user_agent.device.name: keyword\n user_agent.name: keyword\n user_agent.original: keyword\n user_agent.os.family: keyword\n user_agent.os.full: keyword\n user_agent.os.kernel: keyword\n user_agent.os.name: keyword\n user_agent.os.platform: keyword\n user_agent.os.type: keyword\n user_agent.os.version: keyword\n user_agent.version: keyword\n vulnerability.classification: keyword\n vulnerability.description: keyword\n vulnerability.enumeration: keyword\n vulnerability.id: keyword\n vulnerability.reference: keyword\n vulnerability.report_id: keyword\n vulnerability.scanner.vendor: keyword\n vulnerability.score.base: float\n vulnerability.score.environmental: float\n vulnerability.score.temporal: float\n vulnerability.score.version: keyword\n vulnerability.severity: keyword\n wazuh.queue: long\n wazuh.location: text\n wazuh.message: text\n wazuh.origin: keyword\n wazuh.registered_ip: keyword\n wazuh.source: keyword\n url: url\n user_agent: useragent"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml name: schema/wazuh-logpar-types/0 fields: \"@timestamp\": date agent.build.original: keyword agent.ephemeral_id: keyword agent.id: keyword agent.name: keyword agent.type: keyword agent.version: keyword client.address: keyword client.as.number: long client.as.organization.name: keyword client.bytes: long client.domain: keyword client.geo.city_name: keyword client.geo.continent_code: keyword client.geo.continent_name: keyword client.geo.country_iso_code: keyword client.geo.country_name: keyword client.geo.location: geo_point client.geo.name: keyword client.geo.postal_code: keyword client.geo.region_iso_code: keyword client.geo.region_name: keyword client.geo.timezone: keyword client.ip: ip client.mac: keyword client.nat.ip: ip client.nat.port: long client.packets: long client.port: long client.registered_domain: keyword client.subdomain: keyword client.top_level_domain: keyword client.user.domain: keyword client.user.email: keyword client.user.full_name: keyword client.user.group.domain: keyword client.user.group.id: keyword client.user.group.name: keyword client.user.hash: keyword client.user.id: keyword client.user.name: keyword client.user.risk.calculated_level: keyword client.user.risk.calculated_score: float client.user.risk.calculated_score_norm: float client.user.risk.static_level: keyword client.user.risk.static_score: float client.user.risk.static_score_norm: float cloud.account.id: keyword cloud.account.name: keyword cloud.availability_zone: keyword cloud.instance.id: keyword cloud.instance.name: keyword cloud.machine.type: keyword cloud.origin.account.id: keyword cloud.origin.account.name: keyword cloud.origin.availability_zone: keyword cloud.origin.instance.id: keyword cloud.origin.instance.name: keyword cloud.origin.machine.type: keyword cloud.origin.project.id: keyword cloud.origin.project.name: keyword cloud.origin.provider: keyword cloud.origin.region: keyword cloud.origin.service.name: keyword cloud.project.id: keyword cloud.project.name: keyword cloud.provider: keyword cloud.region: keyword cloud.service.name: keyword cloud.target.account.id: keyword cloud.target.account.name: keyword cloud.target.availability_zone: keyword cloud.target.instance.id: keyword cloud.target.instance.name: keyword cloud.target.machine.type: keyword cloud.target.project.id: keyword cloud.target.project.name: keyword cloud.target.provider: keyword cloud.target.region: keyword cloud.target.service.name: keyword container.cpu.usage: scaled_float container.disk.read.bytes: long container.disk.write.bytes: long container.id: keyword container.image.name: keyword container.memory.usage: scaled_float container.name: keyword container.network.egress.bytes: long container.network.ingress.bytes: long container.runtime: keyword data_stream.dataset: keyword data_stream.namespace: keyword data_stream.type: keyword destination.address: keyword destination.as.number: long destination.as.organization.name: keyword destination.bytes: long destination.domain: keyword destination.geo.city_name: keyword destination.geo.continent_code: keyword destination.geo.continent_name: keyword destination.geo.country_iso_code: keyword destination.geo.country_name: keyword destination.geo.location: geo_point destination.geo.name: keyword destination.geo.postal_code: keyword destination.geo.region_iso_code: keyword destination.geo.region_name: keyword destination.geo.timezone: keyword destination.ip: ip destination.mac: keyword destination.nat.ip: ip destination.nat.port: long destination.packets: long destination.port: long destination.registered_domain: keyword destination.subdomain: keyword destination.top_level_domain: keyword destination.user.domain: keyword destination.user.email: keyword destination.user.full_name: keyword destination.user.group.domain: keyword destination.user.group.id: keyword destination.user.group.name: keyword destination.user.hash: keyword destination.user.id: keyword destination.user.name: keyword destination.user.risk.calculated_level: keyword destination.user.risk.calculated_score: float destination.user.risk.calculated_score_norm: float destination.user.risk.static_level: keyword destination.user.risk.static_score: float destination.user.risk.static_score_norm: float dll.code_signature.digest_algorithm: keyword dll.code_signature.exists: boolean dll.code_signature.signing_id: keyword dll.code_signature.status: keyword dll.code_signature.subject_name: keyword dll.code_signature.team_id: keyword dll.code_signature.timestamp: date dll.code_signature.trusted: boolean dll.code_signature.valid: boolean dll.hash.md5: keyword dll.hash.sha1: keyword dll.hash.sha256: keyword dll.hash.sha384: keyword dll.hash.sha512: keyword dll.hash.ssdeep: keyword dll.hash.tlsh: keyword dll.name: keyword dll.path: keyword dll.pe.architecture: keyword dll.pe.company: keyword dll.pe.description: keyword dll.pe.file_version: keyword dll.pe.imphash: keyword dll.pe.original_file_name: keyword dll.pe.pehash: keyword dll.pe.product: keyword dns.id: keyword dns.op_code: keyword dns.question.class: keyword dns.question.name: keyword dns.question.registered_domain: keyword dns.question.subdomain: keyword dns.question.top_level_domain: keyword dns.question.type: keyword dns.response_code: keyword dns.type: keyword ecs.version: keyword email.content_type: keyword email.delivery_timestamp: date email.direction: keyword email.local_id: keyword email.message_id: keyword email.origination_timestamp: date email.sender.address: keyword email.subject: keyword email.x_mailer: keyword error.code: keyword error.id: keyword error.message: text error.stack_trace: keyword error.type: keyword event.action: keyword event.agent_id_status: keyword event.code: keyword event.created: date event.dataset: keyword event.duration: long event.end: date event.hash: keyword event.id: keyword event.ingested: date event.kind: keyword event.module: keyword event.original: keyword event.outcome: keyword event.provider: keyword event.reason: keyword event.reference: keyword event.risk_score: float event.risk_score_norm: float event.sequence: long event.severity: long event.start: date event.timezone: keyword event.url: keyword faas.coldstart: boolean faas.execution: keyword faas.id: keyword faas.name: keyword faas.version: keyword file.accessed: date file.code_signature.digest_algorithm: keyword file.code_signature.exists: boolean file.code_signature.signing_id: keyword file.code_signature.status: keyword file.code_signature.subject_name: keyword file.code_signature.team_id: keyword file.code_signature.timestamp: date file.code_signature.trusted: boolean file.code_signature.valid: boolean file.created: date file.ctime: date file.device: keyword file.directory: keyword file.drive_letter: keyword file.elf.architecture: keyword file.elf.byte_order: keyword file.elf.cpu_type: keyword file.elf.creation_date: date file.elf.header.abi_version: keyword file.elf.header.class: keyword file.elf.header.data: keyword file.elf.header.entrypoint: long file.elf.header.object_version: keyword file.elf.header.os_abi: keyword file.elf.header.type: keyword file.elf.header.version: keyword file.elf.telfhash: keyword file.extension: keyword file.fork_name: keyword file.gid: keyword file.group: keyword file.hash.md5: keyword file.hash.sha1: keyword file.hash.sha256: keyword file.hash.sha384: keyword file.hash.sha512: keyword file.hash.ssdeep: keyword file.hash.tlsh: keyword file.inode: keyword file.mime_type: keyword file.mode: keyword file.mtime: date file.name: keyword file.owner: keyword file.path: keyword file.pe.architecture: keyword file.pe.company: keyword file.pe.description: keyword file.pe.file_version: keyword file.pe.imphash: keyword file.pe.original_file_name: keyword file.pe.pehash: keyword file.pe.product: keyword file.size: long file.target_path: keyword file.type: keyword file.uid: keyword file.x509.issuer.distinguished_name: keyword file.x509.not_after: date file.x509.not_before: date file.x509.public_key_algorithm: keyword file.x509.public_key_curve: keyword file.x509.public_key_exponent: long file.x509.public_key_size: long file.x509.serial_number: keyword file.x509.signature_algorithm: keyword file.x509.subject.distinguished_name: keyword file.x509.version_number: keyword group.domain: keyword group.id: keyword group.name: keyword host.architecture: keyword host.boot.id: keyword host.cpu.usage: scaled_float host.disk.read.bytes: long host.disk.write.bytes: long host.domain: keyword host.geo.city_name: keyword host.geo.continent_code: keyword host.geo.continent_name: keyword host.geo.country_iso_code: keyword host.geo.country_name: keyword host.geo.location: geo_point host.geo.name: keyword host.geo.postal_code: keyword host.geo.region_iso_code: keyword host.geo.region_name: keyword host.geo.timezone: keyword host.hostname: keyword host.id: keyword host.name: keyword host.network.egress.bytes: long host.network.egress.packets: long host.network.ingress.bytes: long host.network.ingress.packets: long host.os.family: keyword host.os.full: keyword host.os.kernel: keyword host.os.name: keyword host.os.platform: keyword host.os.type: keyword host.os.version: keyword host.pid_ns_ino: keyword host.risk.calculated_level: keyword host.risk.calculated_score: float host.risk.calculated_score_norm: float host.risk.static_level: keyword host.risk.static_score: float host.risk.static_score_norm: float host.type: keyword host.uptime: long http.request.body.bytes: long http.request.body.content: keyword http.request.bytes: long http.request.id: keyword http.request.method: keyword http.request.mime_type: keyword http.request.referrer: keyword http.response.body.bytes: long http.response.body.content: keyword http.response.bytes: long http.response.mime_type: keyword http.response.status_code: long http.version: keyword log.file.path: keyword log.level: keyword log.logger: keyword log.origin.file.line: long log.origin.file.name: keyword log.origin.function: keyword message: text network.application: keyword network.bytes: long network.community_id: keyword network.direction: keyword network.forwarded_ip: ip network.iana_number: keyword network.name: keyword network.packets: long network.protocol: keyword network.transport: keyword network.type: keyword network.vlan.id: keyword network.vlan.name: keyword observer.geo.city_name: keyword observer.geo.continent_code: keyword observer.geo.continent_name: keyword observer.geo.country_iso_code: keyword observer.geo.country_name: keyword observer.geo.location: geo_point observer.geo.name: keyword observer.geo.postal_code: keyword observer.geo.region_iso_code: keyword observer.geo.region_name: keyword observer.geo.timezone: keyword observer.hostname: keyword observer.name: keyword observer.os.family: keyword observer.os.full: keyword observer.os.kernel: keyword observer.os.name: keyword observer.os.platform: keyword observer.os.type: keyword observer.os.version: keyword observer.product: keyword observer.serial_number: keyword observer.type: keyword observer.vendor: keyword observer.version: keyword orchestrator.api_version: keyword orchestrator.cluster.id: keyword orchestrator.cluster.name: keyword orchestrator.cluster.url: keyword orchestrator.cluster.version: keyword orchestrator.namespace: keyword orchestrator.organization: keyword orchestrator.resource.id: keyword orchestrator.resource.name: keyword orchestrator.resource.parent.type: keyword orchestrator.resource.type: keyword orchestrator.type: keyword organization.id: keyword organization.name: keyword package.architecture: keyword package.build_version: keyword package.checksum: keyword package.description: keyword package.install_scope: keyword package.installed: date package.license: keyword package.name: keyword package.path: keyword package.reference: keyword package.size: long package.type: keyword package.version: keyword process.args_count: long process.code_signature.digest_algorithm: keyword process.code_signature.exists: boolean process.code_signature.signing_id: keyword process.code_signature.status: keyword process.code_signature.subject_name: keyword process.code_signature.team_id: keyword process.code_signature.timestamp: date process.code_signature.trusted: boolean process.code_signature.valid: boolean process.command_line: keyword process.elf.architecture: keyword process.elf.byte_order: keyword process.elf.cpu_type: keyword process.elf.creation_date: date process.elf.header.abi_version: keyword process.elf.header.class: keyword process.elf.header.data: keyword process.elf.header.entrypoint: long process.elf.header.object_version: keyword process.elf.header.os_abi: keyword process.elf.header.type: keyword process.elf.header.version: keyword process.elf.telfhash: keyword process.end: date process.entity_id: keyword process.entry_leader.args_count: long process.entry_leader.attested_groups.name: keyword process.entry_leader.attested_user.id: keyword process.entry_leader.attested_user.name: keyword process.entry_leader.command_line: keyword process.entry_leader.entity_id: keyword process.entry_leader.entry_meta.source.ip: ip process.entry_leader.entry_meta.type: keyword process.entry_leader.executable: keyword process.entry_leader.group.id: keyword process.entry_leader.group.name: keyword process.entry_leader.interactive: boolean process.entry_leader.name: keyword process.entry_leader.parent.entity_id: keyword process.entry_leader.parent.pid: long process.entry_leader.parent.session_leader.entity_id: keyword process.entry_leader.parent.session_leader.pid: long process.entry_leader.parent.session_leader.start: date process.entry_leader.parent.start: date process.entry_leader.pid: long process.entry_leader.real_group.id: keyword process.entry_leader.real_group.name: keyword process.entry_leader.real_user.id: keyword process.entry_leader.real_user.name: keyword process.entry_leader.same_as_process: boolean process.entry_leader.saved_group.id: keyword process.entry_leader.saved_group.name: keyword process.entry_leader.saved_user.id: keyword process.entry_leader.saved_user.name: keyword process.entry_leader.start: date process.entry_leader.supplemental_groups.id: keyword process.entry_leader.supplemental_groups.name: keyword process.entry_leader.user.id: keyword process.entry_leader.user.name: keyword process.entry_leader.working_directory: keyword process.executable: keyword process.exit_code: long process.group_leader.args_count: long process.group_leader.command_line: keyword process.group_leader.entity_id: keyword process.group_leader.executable: keyword process.group_leader.group.id: keyword process.group_leader.group.name: keyword process.group_leader.interactive: boolean process.group_leader.name: keyword process.group_leader.pid: long process.group_leader.real_group.id: keyword process.group_leader.real_group.name: keyword process.group_leader.real_user.id: keyword process.group_leader.real_user.name: keyword process.group_leader.same_as_process: boolean process.group_leader.saved_group.id: keyword process.group_leader.saved_group.name: keyword process.group_leader.saved_user.id: keyword process.group_leader.saved_user.name: keyword process.group_leader.start: date process.group_leader.supplemental_groups.id: keyword process.group_leader.supplemental_groups.name: keyword process.group_leader.user.id: keyword process.group_leader.user.name: keyword process.group_leader.working_directory: keyword process.hash.md5: keyword process.hash.sha1: keyword process.hash.sha256: keyword process.hash.sha384: keyword process.hash.sha512: keyword process.hash.ssdeep: keyword process.hash.tlsh: keyword process.interactive: boolean process.name: keyword process.parent.args_count: long process.parent.code_signature.digest_algorithm: keyword process.parent.code_signature.exists: boolean process.parent.code_signature.signing_id: keyword process.parent.code_signature.status: keyword process.parent.code_signature.subject_name: keyword process.parent.code_signature.team_id: keyword process.parent.code_signature.timestamp: date process.parent.code_signature.trusted: boolean process.parent.code_signature.valid: boolean process.parent.command_line: keyword process.parent.elf.architecture: keyword process.parent.elf.byte_order: keyword process.parent.elf.cpu_type: keyword process.parent.elf.creation_date: date process.parent.elf.header.abi_version: keyword process.parent.elf.header.class: keyword process.parent.elf.header.data: keyword process.parent.elf.header.entrypoint: long process.parent.elf.header.object_version: keyword process.parent.elf.header.os_abi: keyword process.parent.elf.header.type: keyword process.parent.elf.header.version: keyword process.parent.elf.telfhash: keyword process.parent.end: date process.parent.entity_id: keyword process.parent.executable: keyword process.parent.exit_code: long process.parent.group.id: keyword process.parent.group.name: keyword process.parent.group_leader.entity_id: keyword process.parent.group_leader.pid: long process.parent.group_leader.start: date process.parent.hash.md5: keyword process.parent.hash.sha1: keyword process.parent.hash.sha256: keyword process.parent.hash.sha384: keyword process.parent.hash.sha512: keyword process.parent.hash.ssdeep: keyword process.parent.hash.tlsh: keyword process.parent.interactive: boolean process.parent.name: keyword process.parent.pe.architecture: keyword process.parent.pe.company: keyword process.parent.pe.description: keyword process.parent.pe.file_version: keyword process.parent.pe.imphash: keyword process.parent.pe.original_file_name: keyword process.parent.pe.pehash: keyword process.parent.pe.product: keyword process.parent.pgid: long process.parent.pid: long process.parent.real_group.id: keyword process.parent.real_group.name: keyword process.parent.real_user.id: keyword process.parent.real_user.name: keyword process.parent.saved_group.id: keyword process.parent.saved_group.name: keyword process.parent.saved_user.id: keyword process.parent.saved_user.name: keyword process.parent.start: date process.parent.supplemental_groups.id: keyword process.parent.supplemental_groups.name: keyword process.parent.thread.id: long process.parent.thread.name: keyword process.parent.title: keyword process.parent.uptime: long process.parent.user.id: keyword process.parent.user.name: keyword process.parent.working_directory: keyword process.pe.architecture: keyword process.pe.company: keyword process.pe.description: keyword process.pe.file_version: keyword process.pe.imphash: keyword process.pe.original_file_name: keyword process.pe.pehash: keyword process.pe.product: keyword process.pgid: long process.pid: long process.previous.args_count: long process.previous.executable: keyword process.real_group.id: keyword process.real_group.name: keyword process.real_user.id: keyword process.real_user.name: keyword process.saved_group.id: keyword process.saved_group.name: keyword process.saved_user.id: keyword process.saved_user.name: keyword process.session_leader.args_count: long process.session_leader.command_line: keyword process.session_leader.entity_id: keyword process.session_leader.executable: keyword process.session_leader.group.id: keyword process.session_leader.group.name: keyword process.session_leader.interactive: boolean process.session_leader.name: keyword process.session_leader.parent.entity_id: keyword process.session_leader.parent.pid: long process.session_leader.parent.session_leader.entity_id: keyword process.session_leader.parent.session_leader.pid: long process.session_leader.parent.session_leader.start: date process.session_leader.parent.start: date process.session_leader.pid: long process.session_leader.real_group.id: keyword process.session_leader.real_group.name: keyword process.session_leader.real_user.id: keyword process.session_leader.real_user.name: keyword process.session_leader.same_as_process: boolean process.session_leader.saved_group.id: keyword process.session_leader.saved_group.name: keyword process.session_leader.saved_user.id: keyword process.session_leader.saved_user.name: keyword process.session_leader.start: date process.session_leader.supplemental_groups.id: keyword process.session_leader.supplemental_groups.name: keyword process.session_leader.user.id: keyword process.session_leader.user.name: keyword process.session_leader.working_directory: keyword process.start: date process.supplemental_groups.id: keyword process.supplemental_groups.name: keyword process.thread.id: long process.thread.name: keyword process.title: keyword process.uptime: long process.user.id: keyword process.user.name: keyword process.working_directory: keyword registry.data.bytes: keyword registry.data.type: keyword registry.hive: keyword registry.key: keyword registry.path: keyword registry.value: keyword rule.category: keyword rule.description: keyword rule.id: keyword rule.license: keyword rule.name: keyword rule.reference: keyword rule.ruleset: keyword rule.uuid: keyword rule.version: keyword server.address: keyword server.as.number: long server.as.organization.name: keyword server.bytes: long server.domain: keyword server.geo.city_name: keyword server.geo.continent_code: keyword server.geo.continent_name: keyword server.geo.country_iso_code: keyword server.geo.country_name: keyword server.geo.location: geo_point server.geo.name: keyword server.geo.postal_code: keyword server.geo.region_iso_code: keyword server.geo.region_name: keyword server.geo.timezone: keyword server.ip: ip server.mac: keyword server.nat.ip: ip server.nat.port: long server.packets: long server.port: long server.registered_domain: keyword server.subdomain: keyword server.top_level_domain: keyword server.user.domain: keyword server.user.email: keyword server.user.full_name: keyword server.user.group.domain: keyword server.user.group.id: keyword server.user.group.name: keyword server.user.hash: keyword server.user.id: keyword server.user.name: keyword server.user.risk.calculated_level: keyword server.user.risk.calculated_score: float server.user.risk.calculated_score_norm: float server.user.risk.static_level: keyword server.user.risk.static_score: float server.user.risk.static_score_norm: float service.address: keyword service.environment: keyword service.ephemeral_id: keyword service.id: keyword service.name: keyword service.node.name: keyword service.node.role: keyword service.origin.address: keyword service.origin.environment: keyword service.origin.ephemeral_id: keyword service.origin.id: keyword service.origin.name: keyword service.origin.node.name: keyword service.origin.node.role: keyword service.origin.state: keyword service.origin.type: keyword service.origin.version: keyword service.state: keyword service.target.address: keyword service.target.environment: keyword service.target.ephemeral_id: keyword service.target.id: keyword service.target.name: keyword service.target.node.name: keyword service.target.node.role: keyword service.target.state: keyword service.target.type: keyword service.target.version: keyword service.type: keyword service.version: keyword source.address: keyword source.as.number: long source.as.organization.name: keyword source.bytes: long source.domain: keyword source.geo.city_name: keyword source.geo.continent_code: keyword source.geo.continent_name: keyword source.geo.country_iso_code: keyword source.geo.country_name: keyword source.geo.location: geo_point source.geo.name: keyword source.geo.postal_code: keyword source.geo.region_iso_code: keyword source.geo.region_name: keyword source.geo.timezone: keyword source.ip: ip source.mac: keyword source.nat.ip: ip source.nat.port: long source.packets: long source.port: long source.registered_domain: keyword source.subdomain: keyword source.top_level_domain: keyword source.user.domain: keyword source.user.email: keyword source.user.full_name: keyword source.user.group.domain: keyword source.user.group.id: keyword source.user.group.name: keyword source.user.hash: keyword source.user.id: keyword source.user.name: keyword source.user.risk.calculated_level: keyword source.user.risk.calculated_score: float source.user.risk.calculated_score_norm: float source.user.risk.static_level: keyword source.user.risk.static_score: float source.user.risk.static_score_norm: float span.id: keyword threat.feed.dashboard_id: keyword threat.feed.description: keyword threat.feed.name: keyword threat.feed.reference: keyword threat.framework: keyword threat.group.id: keyword threat.group.name: keyword threat.group.reference: keyword threat.indicator.as.number: long threat.indicator.as.organization.name: keyword threat.indicator.confidence: keyword threat.indicator.description: keyword threat.indicator.email.address: keyword threat.indicator.file.accessed: date threat.indicator.file.code_signature.digest_algorithm: keyword threat.indicator.file.code_signature.exists: boolean threat.indicator.file.code_signature.signing_id: keyword threat.indicator.file.code_signature.status: keyword threat.indicator.file.code_signature.subject_name: keyword threat.indicator.file.code_signature.team_id: keyword threat.indicator.file.code_signature.timestamp: date threat.indicator.file.code_signature.trusted: boolean threat.indicator.file.code_signature.valid: boolean threat.indicator.file.created: date threat.indicator.file.ctime: date threat.indicator.file.device: keyword threat.indicator.file.directory: keyword threat.indicator.file.drive_letter: keyword threat.indicator.file.elf.architecture: keyword threat.indicator.file.elf.byte_order: keyword threat.indicator.file.elf.cpu_type: keyword threat.indicator.file.elf.creation_date: date threat.indicator.file.elf.header.abi_version: keyword threat.indicator.file.elf.header.class: keyword threat.indicator.file.elf.header.data: keyword threat.indicator.file.elf.header.entrypoint: long threat.indicator.file.elf.header.object_version: keyword threat.indicator.file.elf.header.os_abi: keyword threat.indicator.file.elf.header.type: keyword threat.indicator.file.elf.header.version: keyword threat.indicator.file.elf.telfhash: keyword threat.indicator.file.extension: keyword threat.indicator.file.fork_name: keyword threat.indicator.file.gid: keyword threat.indicator.file.group: keyword threat.indicator.file.hash.md5: keyword threat.indicator.file.hash.sha1: keyword threat.indicator.file.hash.sha256: keyword threat.indicator.file.hash.sha384: keyword threat.indicator.file.hash.sha512: keyword threat.indicator.file.hash.ssdeep: keyword threat.indicator.file.hash.tlsh: keyword threat.indicator.file.inode: keyword threat.indicator.file.mime_type: keyword threat.indicator.file.mode: keyword threat.indicator.file.mtime: date threat.indicator.file.name: keyword threat.indicator.file.owner: keyword threat.indicator.file.path: keyword threat.indicator.file.pe.architecture: keyword threat.indicator.file.pe.company: keyword threat.indicator.file.pe.description: keyword threat.indicator.file.pe.file_version: keyword threat.indicator.file.pe.imphash: keyword threat.indicator.file.pe.original_file_name: keyword threat.indicator.file.pe.pehash: keyword threat.indicator.file.pe.product: keyword threat.indicator.file.size: long threat.indicator.file.target_path: keyword threat.indicator.file.type: keyword threat.indicator.file.uid: keyword threat.indicator.file.x509.issuer.distinguished_name: keyword threat.indicator.file.x509.not_after: date threat.indicator.file.x509.not_before: date threat.indicator.file.x509.public_key_algorithm: keyword threat.indicator.file.x509.public_key_curve: keyword threat.indicator.file.x509.public_key_exponent: long threat.indicator.file.x509.public_key_size: long threat.indicator.file.x509.serial_number: keyword threat.indicator.file.x509.signature_algorithm: keyword threat.indicator.file.x509.subject.distinguished_name: keyword threat.indicator.file.x509.version_number: keyword threat.indicator.first_seen: date threat.indicator.geo.city_name: keyword threat.indicator.geo.continent_code: keyword threat.indicator.geo.continent_name: keyword threat.indicator.geo.country_iso_code: keyword threat.indicator.geo.country_name: keyword threat.indicator.geo.location: geo_point threat.indicator.geo.name: keyword threat.indicator.geo.postal_code: keyword threat.indicator.geo.region_iso_code: keyword threat.indicator.geo.region_name: keyword threat.indicator.geo.timezone: keyword threat.indicator.ip: ip threat.indicator.last_seen: date threat.indicator.marking.tlp: keyword threat.indicator.modified_at: date threat.indicator.port: long threat.indicator.provider: keyword threat.indicator.reference: keyword threat.indicator.registry.data.bytes: keyword threat.indicator.registry.data.type: keyword threat.indicator.registry.hive: keyword threat.indicator.registry.key: keyword threat.indicator.registry.path: keyword threat.indicator.registry.value: keyword threat.indicator.scanner_stats: long threat.indicator.sightings: long threat.indicator.type: keyword threat.indicator.url.domain: keyword threat.indicator.url.extension: keyword threat.indicator.url.fragment: keyword threat.indicator.url.full: keyword threat.indicator.url.original: keyword threat.indicator.url.password: keyword threat.indicator.url.path: keyword threat.indicator.url.port: long threat.indicator.url.query: keyword threat.indicator.url.registered_domain: keyword threat.indicator.url.scheme: keyword threat.indicator.url.subdomain: keyword threat.indicator.url.top_level_domain: keyword threat.indicator.url.username: keyword threat.indicator.x509.issuer.distinguished_name: keyword threat.indicator.x509.not_after: date threat.indicator.x509.not_before: date threat.indicator.x509.public_key_algorithm: keyword threat.indicator.x509.public_key_curve: keyword threat.indicator.x509.public_key_exponent: long threat.indicator.x509.public_key_size: long threat.indicator.x509.serial_number: keyword threat.indicator.x509.signature_algorithm: keyword threat.indicator.x509.subject.distinguished_name: keyword threat.indicator.x509.version_number: keyword threat.software.id: keyword threat.software.name: keyword threat.software.reference: keyword threat.software.type: keyword tls.cipher: keyword tls.client.certificate: keyword tls.client.hash.md5: keyword tls.client.hash.sha1: keyword tls.client.hash.sha256: keyword tls.client.issuer: keyword tls.client.ja3: keyword tls.client.not_after: date tls.client.not_before: date tls.client.server_name: keyword tls.client.subject: keyword tls.client.x509.issuer.distinguished_name: keyword tls.client.x509.not_after: date tls.client.x509.not_before: date tls.client.x509.public_key_algorithm: keyword tls.client.x509.public_key_curve: keyword tls.client.x509.public_key_exponent: long tls.client.x509.public_key_size: long tls.client.x509.serial_number: keyword tls.client.x509.signature_algorithm: keyword tls.client.x509.subject.distinguished_name: keyword tls.client.x509.version_number: keyword tls.curve: keyword tls.established: boolean tls.next_protocol: keyword tls.resumed: boolean tls.server.certificate: keyword tls.server.hash.md5: keyword tls.server.hash.sha1: keyword tls.server.hash.sha256: keyword tls.server.issuer: keyword tls.server.ja3s: keyword tls.server.not_after: date tls.server.not_before: date tls.server.subject: keyword tls.server.x509.issuer.distinguished_name: keyword tls.server.x509.not_after: date tls.server.x509.not_before: date tls.server.x509.public_key_algorithm: keyword tls.server.x509.public_key_curve: keyword tls.server.x509.public_key_exponent: long tls.server.x509.public_key_size: long tls.server.x509.serial_number: keyword tls.server.x509.signature_algorithm: keyword tls.server.x509.subject.distinguished_name: keyword tls.server.x509.version_number: keyword tls.version: keyword tls.version_protocol: keyword trace.id: keyword transaction.id: keyword url.domain: keyword url.extension: keyword url.fragment: keyword url.full: keyword url.original: keyword url.password: keyword url.path: keyword url.port: long url.query: keyword url.registered_domain: keyword url.scheme: keyword url.subdomain: keyword url.top_level_domain: keyword url.username: keyword user.changes.domain: keyword user.changes.email: keyword user.changes.full_name: keyword user.changes.group.domain: keyword user.changes.group.id: keyword user.changes.group.name: keyword user.changes.hash: keyword user.changes.id: keyword user.changes.name: keyword user.changes.risk.calculated_level: keyword user.changes.risk.calculated_score: float user.changes.risk.calculated_score_norm: float user.changes.risk.static_level: keyword user.changes.risk.static_score: float user.changes.risk.static_score_norm: float user.domain: keyword user.effective.domain: keyword user.effective.email: keyword user.effective.full_name: keyword user.effective.group.domain: keyword user.effective.group.id: keyword user.effective.group.name: keyword user.effective.hash: keyword user.effective.id: keyword user.effective.name: keyword user.effective.risk.calculated_level: keyword user.effective.risk.calculated_score: float user.effective.risk.calculated_score_norm: float user.effective.risk.static_level: keyword user.effective.risk.static_score: float user.effective.risk.static_score_norm: float user.email: keyword user.full_name: keyword user.group.domain: keyword user.group.id: keyword user.group.name: keyword user.hash: keyword user.id: keyword user.name: keyword user.risk.calculated_level: keyword user.risk.calculated_score: float user.risk.calculated_score_norm: float user.risk.static_level: keyword user.risk.static_score: float user.risk.static_score_norm: float user.target.domain: keyword user.target.email: keyword user.target.full_name: keyword user.target.group.domain: keyword user.target.group.id: keyword user.target.group.name: keyword user.target.hash: keyword user.target.id: keyword user.target.name: keyword user.target.risk.calculated_level: keyword user.target.risk.calculated_score: float user.target.risk.calculated_score_norm: float user.target.risk.static_level: keyword user.target.risk.static_score: float user.target.risk.static_score_norm: float user_agent.device.name: keyword user_agent.name: keyword user_agent.original: keyword user_agent.os.family: keyword user_agent.os.full: keyword user_agent.os.kernel: keyword user_agent.os.name: keyword user_agent.os.platform: keyword user_agent.os.type: keyword user_agent.os.version: keyword user_agent.version: keyword vulnerability.classification: keyword vulnerability.description: keyword vulnerability.enumeration: keyword vulnerability.id: keyword vulnerability.reference: keyword vulnerability.report_id: keyword vulnerability.scanner.vendor: keyword vulnerability.score.base: float vulnerability.score.environmental: float vulnerability.score.temporal: float vulnerability.score.version: keyword vulnerability.severity: keyword wazuh.queue: long wazuh.location: text wazuh.message: text wazuh.origin: keyword wazuh.registered_ip: keyword wazuh.source: keyword url: url user_agent: useragent ``` > Results > > Valid YAML! 5. Verify with meld that the content is the same that is obtained with the yaml format 1. Paste both content field data into meld 2. See if there is any highlighted change ``` Files are identical ```
roronoasins commented 1 year ago

Scenario Outline 5: catalog - get already loaded items by their version (III)

Get an already loaded policy by its version as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/wazuh/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/wazuh/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/wazuh/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"name\":\"policy/wazuh/0\",\"integrations\":[\"integration/wazuh-core/0\"]}"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json {"name":"policy/wazuh/0","integrations":["integration/wazuh-core/0"]} ``` > Results > > Valid JSON
Get the already loaded policy by its version as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/wazuh/0", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/wazuh/0', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/wazuh/0', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"name: policy/wazuh/0\nintegrations:\n - integration/wazuh-core/0"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml name: policy/wazuh/0 integrations: - integration/wazuh-core/0 ``` > Results > > Valid YAML!
Get the already loaded policy by its version as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/wazuh/0", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/wazuh/0', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/wazuh/0', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"name: policy/wazuh/0\nintegrations:\n - integration/wazuh-core/0"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml name: policy/wazuh/0 integrations: - integration/wazuh-core/0 ``` > Results > > Valid YAML! 5. Verify with meld that the content is the same that is obtained with the yaml format 1. Paste both content field data into meld 2. See if there is any highlighted change ``` Files are identical ```
Get an already loaded output by its version as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/file-output/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/file-output/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/file-output/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\"},\"compatibility\":\"This decoder has been tested on Wazuh version 4.3\\n\",\"description\":\"Output events to a file\",\"title\":\"file output event\"},\"name\":\"output/file-output/0\",\"outputs\":[{\"file\":{\"path\":\"/var/ossec/logs/alerts/alerts-ECS.json\"}}]}"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json {"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.3\\n","description":"Output events to a file","title":"file output event"},"name":"output/file-output/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]} ``` > Results > > Valid JSON
Get the already loaded output by its version as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/file-output/0", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/file-output/0', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/file-output/0', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"metadata:\n author:\n date: 2022/11/08\n name: Wazuh, Inc.\n compatibility: \"This decoder has been tested on Wazuh version 4.3\\n\"\n description: Output events to a file\n title: file output event\nname: output/file-output/0\noutputs:\n - file:\n path: /var/ossec/logs/alerts/alerts-ECS.json"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml metadata: author: date: 2022/11/08 name: Wazuh, Inc. compatibility: This decoder has been tested on Wazuh version 4.3\n description: Output events to a file title: file output event name: output/file-output/0 outputs: - file: path: /var/ossec/logs/alerts/alerts-ECS.json ``` > Results > > Valid YAML!
Get the already loaded output by its version as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/file-output/0", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/file-output/0', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/file-output/0', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"metadata:\n author:\n date: 2022/11/08\n name: Wazuh, Inc.\n compatibility: \"This decoder has been tested on Wazuh version 4.3\\n\"\n description: Output events to a file\n title: file output event\nname: output/file-output/0\noutputs:\n - file:\n path: /var/ossec/logs/alerts/alerts-ECS.json"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml metadata: author: date: 2022/11/08 name: Wazuh, Inc. compatibility: "This decoder has been tested on Wazuh version 4.3\\n" description: Output events to a file title: file output event name: output/file-output/0 outputs: - file: path: /var/ossec/logs/alerts/alerts-ECS.js ``` > Results > > Valid YAML! 5. Verify with meld that the content is the same that is obtained with the yaml format 1. Paste both content field data into meld 2. See if there is any highlighted change ``` Files are identical ```
Get an already loaded filter by its version as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/allow-all/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\",\"url\":\"https://wazuh.com\"},\"description\":\"Default filter to allow all events (for default ruleset)\"},\"name\":\"filter/allow-all/0\"}"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid json ```json {"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/allow-all/0"} ``` > Results > > Valid JSON
Get the already loaded output by its version as yaml :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/allow-all/0", "format": "yaml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'yaml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'yaml'}} Response: {"data":{"status":"OK","content":"metadata:\n author:\n date: 2022/11/08\n name: Wazuh, Inc.\n url: https://wazuh.com\n description: Default filter to allow all events (for default ruleset)\nname: filter/allow-all/0"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml metadata: author: date: 2022/11/08 name: Wazuh, Inc. url: https://wazuh.com description: Default filter to allow all events (for default ruleset) name: filter/allow-all ``` > Results > > Valid YAML!
Get the already loaded output by its version as yml (alias for yaml) :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/allow-all/0", "format": "yml" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'yml'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'yml'}} Response: {"data":{"status":"OK","content":"metadata:\n author:\n date: 2022/11/08\n name: Wazuh, Inc.\n url: https://wazuh.com\n description: Default filter to allow all events (for default ruleset)\nname: filter/allow-all/0"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` 4. Verify that response is a valid yaml ```yaml metadata: author: date: 2022/11/08 name: Wazuh, Inc. url: https://wazuh.com description: Default filter to allow all events (for default ruleset) name: filter/allow-all ``` > Results > > Valid YAML! 5. Verify with meld that the content is the same that is obtained with the yaml format 1. Paste both content field data into meld 2. See if there is any highlighted change ``` Files are identical ```
roronoasins commented 1 year ago

Scenario Outline 6: catalog - get not loaded items by their version

Get a not loaded decoder by its version as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/integrations/3", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/integrations/3', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/integrations/3', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/integrations/3' could not be obtained from store: File '/var/ossec/engine/store/decoder/integrations/3' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > The error still so generic being like file X does not exist, instead of telling X decoder name does not exist or X version for Y decoder does not exist.
Get a not loaded schema by its version as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/wazuh-asset/3", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/wazuh-asset/3', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/wazuh-asset/3', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'schema/wazuh-asset/3' could not be obtained from store: File '/var/ossec/engine/store/schema/wazuh-asset/3' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > The error still so generic being like file X does not exist, instead of telling X schema name does not exist or X version for Y schema does not exist.
Get a not loaded policy by its version as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/wazuh/3", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/wazuh/3', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/wazuh/3', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'policy/wazuh/3' could not be obtained from store: File '/var/ossec/engine/store/policy/wazuh/3' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > The error still so generic being like file X does not exist, instead of telling X policy name does not exist or X version for Y policy does not exist.
Get a not loaded output by its version as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/file-output/3", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/file-output/3', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/file-output/3', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'output/file-output/3' could not be obtained from store: File '/var/ossec/engine/store/output/file-output/3' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > The error still so generic being like file X does not exist, instead of telling X output name does not exist or X version for Y output does not exist.
Get a not loaded filter by its version as json :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/allow-all/3", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/allow-all/3', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/allow-all/3', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'filter/allow-all/3' could not be obtained from store: File '/var/ossec/engine/store/filter/allow-all/3' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > The error still so generic being like file X does not exist, instead of telling X filter name does not exist or X version for Y filter does not exist.

Scenario Outline 7: catalog - get a non-existing collection type

Get a non-existing collection type :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "dede/none", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'dede/none', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'dede/none', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Invalid collection type \"dede\""},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 8: catalog - update an item

Update an already existing json decoder :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/custom/0", "format": "json" } }, { "command": "router", "subcommand": "put", "parameters": { "name": "decoder/custom/0", "format": "json", "content": "{\"name\":\"decoder/custom/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/custom/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket > Change the queue check > check: +int_equal/wazuh.queue/50 -> check: +int_equal/wazuh.queue/51 ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/custom/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/custom/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"name\":\"decoder/custom/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/50\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'put', 'parameters': {'name': 'decoder/custom/0', 'format': 'json', 'content': '{"name":"decoder/custom/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/put', 'parameters': {'name': 'decoder/custom/0', 'format': 'json', 'content': '{"name":"decoder/custom/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/custom/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/custom/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"name\":\"decoder/custom/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Update an already existing json schema :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/wazuh-asset/0", "format": "json" } }, { "command": "router", "subcommand": "put", "parameters": { "name": "schema/wazuh-asset/0", "format": "json", "content": "{\"$schema\":\"http://json-schema.org/draft-07/schema#\",\"$id\":\"wazuh-asset.json\",\"name\":\"schema/wazuh-asset/0\",\"title\":\"Schema for Wazuh assets\",\"type\":\"object\",\"description\":\"Schema for Wazuh assets\",\"additionalProperties\":false,\"required\":[\"name\",\"metadata\"],\"anyOf\":[{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"parse\"]},{\"required\":[\"normalize\"]}],\"not\":{\"anyOf\":[{\"required\":[\"allow\"]},{\"required\":[\"outputs\"]}]}},{\"required\":[\"outputs\"],\"not\":{\"anyOf\":[{\"required\":[\"normalize\"]},{\"required\":[\"parse\"]}]}},{\"required\":[\"allow\",\"sources\"],\"not\":{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"normalize\"]}]}}],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name of the asset, short and concise name to identify this asset\",\"pattern\":\"^[^/]+/[^/]+/[^/]+$\"},\"metadata\":{\"type\":\"object\",\"description\":\"Metadata of this item\",\"additionalProperties\":false,\"required\":[\"module\",\"title\",\"description\",\"compatibility\",\"versions\",\"author\",\"references\"],\"properties\":{\"module\":{\"type\":\"string\",\"description\":\"The module this item belongs to\"},\"title\":{\"type\":\"string\",\"description\":\"Short and concise description of this item\"},\"description\":{\"type\":\"string\",\"description\":\"Long description of this item, explaining what it does and how it works\"},\"compatibility\":{\"type\":\"string\",\"description\":\"Description of the supported services and versions of the logs processed by this item\"},\"versions\":{\"type\":\"array\",\"description\":\"A list of the service versions supported\",\"items\":{\"type\":\"string\"}},\"author\":{\"type\":\"object\",\"description\":\"Author\",\"additionalProperties\":false,\"required\":[\"name\",\"date\"],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name/Organization\"},\"email\":{\"type\":\"string\",\"description\":\"Email\"},\"url\":{\"type\":\"string\",\"description\":\"URL linking to the author's website\"},\"date\":{\"type\":\"string\",\"description\":\"Date of the author\"}}},\"references\":{\"type\":\"array\",\"description\":\"References to external resources\"}}},\"sources\":{\"type\":\"array\",\"description\":\"This asset will process events coming only from the specified sources\",\"items\":{\"type\":\"string\"}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"allow\":{\"$ref\":\"#/definitions/_check\"},\"normalize\":{\"type\":\"array\",\"description\":\"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].\",\"minItems\":1,\"items\":{\"$ref\":\"#/definitions/_normalizeBlock\"}},\"outputs\":{\"type\":\"array\",\"description\":\"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.\",\"minItems\":1},\"definitions\":{\"type\":\"object\",\"description\":\"Variable definitions, used to define variables that can be reused in other parts of the item\",\"minProperties\":1},\"parse\":{\"$ref\":\"#/definitions/_parse\"}},\"definitions\":{\"_check\":{\"oneOf\":[{\"type\":\"array\",\"description\":\"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.\",\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]},\"minItems\":1},{\"type\":\"string\",\"description\":\"Check conditional expression, the expression must be valuated to true in order to further process events with this asset\"}]},\"_logpar\":{\"type\":\"array\",\"description\":\"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"_parse\":{\"type\":\"object\",\"description\":\"Parse the event using the specified parser engine. Suports `logpar` parser.\",\"additionalProperties\":false,\"minProperties\":1,\"properties\":{\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}},\"_normalizeBlock\":{\"type\":\"object\",\"description\":\"Never shown\",\"minItems\":1,\"additionalProperties\":true,\"properties\":{\"map\":{\"description\":\"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.\",\"type\":\"array\",\"minItems\":2,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}}}}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/wazuh-asset/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket > Change a properties.minItems > "minItems":1 -> "minItems":2 ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/wazuh-asset/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/wazuh-asset/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"$schema\":\"http://json-schema.org/draft-07/schema#\",\"$id\":\"wazuh-asset.json\",\"name\":\"schema/wazuh-asset/0\",\"title\":\"Schema for Wazuh assets\",\"type\":\"object\",\"description\":\"Schema for Wazuh assets\",\"additionalProperties\":false,\"required\":[\"name\",\"metadata\"],\"anyOf\":[{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"parse\"]},{\"required\":[\"normalize\"]}],\"not\":{\"anyOf\":[{\"required\":[\"allow\"]},{\"required\":[\"outputs\"]}]}},{\"required\":[\"outputs\"],\"not\":{\"anyOf\":[{\"required\":[\"normalize\"]},{\"required\":[\"parse\"]}]}},{\"required\":[\"allow\",\"sources\"],\"not\":{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"normalize\"]}]}}],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name of the asset, short and concise name to identify this asset\",\"pattern\":\"^[^/]+/[^/]+/[^/]+$\"},\"metadata\":{\"type\":\"object\",\"description\":\"Metadata of this item\",\"additionalProperties\":false,\"required\":[\"module\",\"title\",\"description\",\"compatibility\",\"versions\",\"author\",\"references\"],\"properties\":{\"module\":{\"type\":\"string\",\"description\":\"The module this item belongs to\"},\"title\":{\"type\":\"string\",\"description\":\"Short and concise description of this item\"},\"description\":{\"type\":\"string\",\"description\":\"Long description of this item, explaining what it does and how it works\"},\"compatibility\":{\"type\":\"string\",\"description\":\"Description of the supported services and versions of the logs processed by this item\"},\"versions\":{\"type\":\"array\",\"description\":\"A list of the service versions supported\",\"items\":{\"type\":\"string\"}},\"author\":{\"type\":\"object\",\"description\":\"Author\",\"additionalProperties\":false,\"required\":[\"name\",\"date\"],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name/Organization\"},\"email\":{\"type\":\"string\",\"description\":\"Email\"},\"url\":{\"type\":\"string\",\"description\":\"URL linking to the author's website\"},\"date\":{\"type\":\"string\",\"description\":\"Date of the author\"}}},\"references\":{\"type\":\"array\",\"description\":\"References to external resources\"}}},\"sources\":{\"type\":\"array\",\"description\":\"This asset will process events coming only from the specified sources\",\"items\":{\"type\":\"string\"}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"allow\":{\"$ref\":\"#/definitions/_check\"},\"normalize\":{\"type\":\"array\",\"description\":\"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].\",\"minItems\":1,\"items\":{\"$ref\":\"#/definitions/_normalizeBlock\"}},\"outputs\":{\"type\":\"array\",\"description\":\"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.\",\"minItems\":1},\"definitions\":{\"type\":\"object\",\"description\":\"Variable definitions, used to define variables that can be reused in other parts of the item\",\"minProperties\":1},\"parse\":{\"$ref\":\"#/definitions/_parse\"}},\"definitions\":{\"_check\":{\"oneOf\":[{\"type\":\"array\",\"description\":\"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.\",\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]},\"minItems\":1},{\"type\":\"string\",\"description\":\"Check conditional expression, the expression must be valuated to true in order to further process events with this asset\"}]},\"_logpar\":{\"type\":\"array\",\"description\":\"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"_parse\":{\"type\":\"object\",\"description\":\"Parse the event using the specified parser engine. Suports `logpar` parser.\",\"additionalProperties\":false,\"minProperties\":1,\"properties\":{\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}},\"_normalizeBlock\":{\"type\":\"object\",\"description\":\"Never shown\",\"minItems\":1,\"additionalProperties\":true,\"properties\":{\"map\":{\"description\":\"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.\",\"type\":\"array\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}}}}"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'put', 'parameters': {'name': 'schema/wazuh-asset/0', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/wazuh-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/put', 'parameters': {'name': 'schema/wazuh-asset/0', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/wazuh-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/wazuh-asset/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/wazuh-asset/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"$schema\":\"http://json-schema.org/draft-07/schema#\",\"$id\":\"wazuh-asset.json\",\"name\":\"schema/wazuh-asset/0\",\"title\":\"Schema for Wazuh assets\",\"type\":\"object\",\"description\":\"Schema for Wazuh assets\",\"additionalProperties\":false,\"required\":[\"name\",\"metadata\"],\"anyOf\":[{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"parse\"]},{\"required\":[\"normalize\"]}],\"not\":{\"anyOf\":[{\"required\":[\"allow\"]},{\"required\":[\"outputs\"]}]}},{\"required\":[\"outputs\"],\"not\":{\"anyOf\":[{\"required\":[\"normalize\"]},{\"required\":[\"parse\"]}]}},{\"required\":[\"allow\",\"sources\"],\"not\":{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"normalize\"]}]}}],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name of the asset, short and concise name to identify this asset\",\"pattern\":\"^[^/]+/[^/]+/[^/]+$\"},\"metadata\":{\"type\":\"object\",\"description\":\"Metadata of this item\",\"additionalProperties\":false,\"required\":[\"module\",\"title\",\"description\",\"compatibility\",\"versions\",\"author\",\"references\"],\"properties\":{\"module\":{\"type\":\"string\",\"description\":\"The module this item belongs to\"},\"title\":{\"type\":\"string\",\"description\":\"Short and concise description of this item\"},\"description\":{\"type\":\"string\",\"description\":\"Long description of this item, explaining what it does and how it works\"},\"compatibility\":{\"type\":\"string\",\"description\":\"Description of the supported services and versions of the logs processed by this item\"},\"versions\":{\"type\":\"array\",\"description\":\"A list of the service versions supported\",\"items\":{\"type\":\"string\"}},\"author\":{\"type\":\"object\",\"description\":\"Author\",\"additionalProperties\":false,\"required\":[\"name\",\"date\"],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name/Organization\"},\"email\":{\"type\":\"string\",\"description\":\"Email\"},\"url\":{\"type\":\"string\",\"description\":\"URL linking to the author's website\"},\"date\":{\"type\":\"string\",\"description\":\"Date of the author\"}}},\"references\":{\"type\":\"array\",\"description\":\"References to external resources\"}}},\"sources\":{\"type\":\"array\",\"description\":\"This asset will process events coming only from the specified sources\",\"items\":{\"type\":\"string\"}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"allow\":{\"$ref\":\"#/definitions/_check\"},\"normalize\":{\"type\":\"array\",\"description\":\"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].\",\"minItems\":1,\"items\":{\"$ref\":\"#/definitions/_normalizeBlock\"}},\"outputs\":{\"type\":\"array\",\"description\":\"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.\",\"minItems\":1},\"definitions\":{\"type\":\"object\",\"description\":\"Variable definitions, used to define variables that can be reused in other parts of the item\",\"minProperties\":1},\"parse\":{\"$ref\":\"#/definitions/_parse\"}},\"definitions\":{\"_check\":{\"oneOf\":[{\"type\":\"array\",\"description\":\"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.\",\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]},\"minItems\":1},{\"type\":\"string\",\"description\":\"Check conditional expression, the expression must be valuated to true in order to further process events with this asset\"}]},\"_logpar\":{\"type\":\"array\",\"description\":\"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"_parse\":{\"type\":\"object\",\"description\":\"Parse the event using the specified parser engine. Suports `logpar` parser.\",\"additionalProperties\":false,\"minProperties\":1,\"properties\":{\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}},\"_normalizeBlock\":{\"type\":\"object\",\"description\":\"Never shown\",\"minItems\":1,\"additionalProperties\":true,\"properties\":{\"map\":{\"description\":\"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.\",\"type\":\"array\",\"minItems\":2,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}}}}"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Update an already existing json policy :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/custom/0", "format": "json" } }, { "command": "router", "subcommand": "put", "parameters": { "name": "decoder/custom/0", "format": "json", "content": "{\"name\":\"decoder/custom/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/custom/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket > Change the integration's version > integration/wazuh-core/0 -> integration/wazuh-core/1 ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/custom/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/custom/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"name\":\"policy/custom/0\",\"integrations\":[\"integration/wazuh-qa/0\"]}"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'put', 'parameters': {'name': 'policy/custom/0', 'format': 'json', 'content': '{"name":"policy/custom/0","integrations":["integration/wazuh-core/1"]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/put', 'parameters': {'name': 'policy/custom/0', 'format': 'json', 'content': '{"name":"policy/custom/0","integrations":["integration/wazuh-core/1"]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/custom/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/custom/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"name\":\"policy/custom/0\",\"integrations\":[\"integration/wazuh-core/1\"]}"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > If you try to use a non-existing integration it fails > `{"data":{"status":"ERROR","error":"An error occurred while trying to validate 'policy/custom/0': Error loading integration/wazuh-qa/3: "},"error":0}`
Update an already existing json output :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/file-output/0", "format": "json" } }, { "command": "catalog", "subcommand": "put", "parameters": { "name": "output/file-output/0", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\"},\"compatibility\":\"This decoder has been tested on Wazuh version 4.4\n\",\"description\":\"Output events to a file\",\"title\":\"file output event\"},\"name\":\"output/file-output/0\",\"outputs\":[{\"file\":{\"path\":\"/var/ossec/logs/alerts/alerts-ECS.json\"}}]}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/file-output/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket > Change the wazuh's version ref > 4.3 -> 4.4 ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/file-output/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/file-output/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\"},\"compatibility\":\"This decoder has been tested on Wazuh version 4.3\\n\",\"description\":\"Output events to a file\",\"title\":\"file output event\"},\"name\":\"output/file-output/0\",\"outputs\":[{\"file\":{\"path\":\"/var/ossec/logs/alerts/alerts-ECS.json\"}}]}"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'put', 'parameters': {'name': 'output/file-output/0', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/file-output/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/put', 'parameters': {'name': 'output/file-output/0', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/file-output/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/file-output/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/file-output/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\"},\"compatibility\":\"This decoder has been tested on Wazuh version 4.4\\n\",\"description\":\"Output events to a file\",\"title\":\"file output event\"},\"name\":\"output/file-output/0\",\"outputs\":[{\"file\":{\"path\":\"/var/ossec/logs/alerts/alerts-ECS.json\"}}]}"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > You have to double escape the `\n` if not it fails
Update an already existing json filter :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/allow-all/0", "format": "json" } }, { "command": "catalog", "subcommand": "put", "parameters": { "name": "filter/allow-all/0", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2023/11/08\",\"name\":\"Wazuh, Inc.\",\"url\":\"https://wazuh.com\"},\"description\":\"Default filter to allow all events (for default ruleset)\"},\"name\":\"filter/allow-all/0\"}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/allow-all/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\",\"url\":\"https://wazuh.com\"},\"description\":\"Default filter to allow all events (for default ruleset)\"},\"name\":\"filter/allow-all/0\"}"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'put', 'parameters': {'name': 'filter/allow-all/0', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/allow-all/0"}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/put', 'parameters': {'name': 'filter/allow-all/0', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/allow-all/0"}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/allow-all/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"metadata\":{\"author\":{\"date\":\"2023/11/08\",\"name\":\"Wazuh, Inc.\",\"url\":\"https://wazuh.com\"},\"description\":\"Default filter to allow all events (for default ruleset)\"},\"name\":\"filter/allow-all/0\"}"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 9: catalog - update a non-existing item

Update non-existing json item by its id :red_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/wazuh/0", "format": "json" } }, { "command": "router", "subcommand": "put", "parameters": { "name": "decoder/wazuh/0", "format": "json", "content": "{}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/wazuh/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/wazuh/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/wazuh/0', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/wazuh/0' could not be obtained from store: File '/var/ossec/engine/store/decoder/wazuh/0' does not exist"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'put', 'parameters': {'name': 'decoder/wazuh/0', 'format': 'json', 'content': '{}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/put', 'parameters': {'name': 'decoder/wazuh/0', 'format': 'json', 'content': '{}'}} Response: {"data":{"status":"ERROR","error":"Field 'name' is missing in content"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/wazuh/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/wazuh/0', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/wazuh/0' could not be obtained from store: File '/var/ossec/engine/store/decoder/wazuh/0' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > When you try to update an item that is not loaded in the catalog, it should fail as CLI > ``` > Content 'decoder/wazuh/0' could not be obtained from store: File '/var/ossec/engine/store/decoder/wazuh/0' does not exist > ``` > If you add the content as `"{\"name\":\"decoder/wazuh/0\"}"` the output will be the expected, but if it does not exists it should fail even if the content is empty.
Update non-existing json item by its version :red_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/wazuh/0", "format": "json" } }, { "command": "router", "subcommand": "put", "parameters": { "name": "decoder/wazuh/0", "format": "json", "content": "{}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/wazuh/0", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/custom', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/custom', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"decoder/custom/0\"]"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'put', 'parameters': {'name': 'decoder/custom/23', 'format': 'json', 'content': '{}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/put', 'parameters': {'name': 'decoder/custom/23', 'format': 'json', 'content': '{}'}} Response: {"data":{"status":"ERROR","error":"Field 'name' is missing in content"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/custom', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/custom', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"decoder/custom/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > When you try to update an item that is not loaded in the catalog, it should fail as CLI > ``` > Content 'decoder/custom/23' could not be obtained from store: File '/var/ossec/engine/store/decoder/custom/23' does not exist > ``` > If you add the content as `"{\"name\":\"decoder/custom/23\"}"` the output will be the expected, but if it does not exists it should fail even if the content is empty.
roronoasins commented 1 year ago

Scenario Outline 10: catalog - create an item

Create a decoder using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/newdecoder", "format": "json" } }, { "command": "router", "subcommand": "post", "parameters": { "type": "decoder", "format": "json", "content": "{\"name\":\"decoder/newdecoder/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/newdecoder", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/newdecoder' could not be obtained from store: File '/var/ossec/engine/store/decoder/newdecoder' does not exist"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"decoder/newdecoder/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Create a schema using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/new-asset", "format": "json" } }, { "command": "catalog", "subcommand": "post", "parameters": { "type": "schema", "format": "json", "content": "{\"$schema\":\"http://json-schema.org/draft-07/schema#\",\"$id\":\"wazuh-asset.json\",\"name\":\"schema/new-asset/0\",\"title\":\"Schema for Wazuh assets\",\"type\":\"object\",\"description\":\"Schema for Wazuh assets\",\"additionalProperties\":false,\"required\":[\"name\",\"metadata\"],\"anyOf\":[{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"parse\"]},{\"required\":[\"normalize\"]}],\"not\":{\"anyOf\":[{\"required\":[\"allow\"]},{\"required\":[\"outputs\"]}]}},{\"required\":[\"outputs\"],\"not\":{\"anyOf\":[{\"required\":[\"normalize\"]},{\"required\":[\"parse\"]}]}},{\"required\":[\"allow\",\"sources\"],\"not\":{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"normalize\"]}]}}],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name of the asset, short and concise name to identify this asset\",\"pattern\":\"^[^/]+/[^/]+/[^/]+$\"},\"metadata\":{\"type\":\"object\",\"description\":\"Metadata of this item\",\"additionalProperties\":false,\"required\":[\"module\",\"title\",\"description\",\"compatibility\",\"versions\",\"author\",\"references\"],\"properties\":{\"module\":{\"type\":\"string\",\"description\":\"The module this item belongs to\"},\"title\":{\"type\":\"string\",\"description\":\"Short and concise description of this item\"},\"description\":{\"type\":\"string\",\"description\":\"Long description of this item, explaining what it does and how it works\"},\"compatibility\":{\"type\":\"string\",\"description\":\"Description of the supported services and versions of the logs processed by this item\"},\"versions\":{\"type\":\"array\",\"description\":\"A list of the service versions supported\",\"items\":{\"type\":\"string\"}},\"author\":{\"type\":\"object\",\"description\":\"Author\",\"additionalProperties\":false,\"required\":[\"name\",\"date\"],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name/Organization\"},\"email\":{\"type\":\"string\",\"description\":\"Email\"},\"url\":{\"type\":\"string\",\"description\":\"URL linking to the author's website\"},\"date\":{\"type\":\"string\",\"description\":\"Date of the author\"}}},\"references\":{\"type\":\"array\",\"description\":\"References to external resources\"}}},\"sources\":{\"type\":\"array\",\"description\":\"This asset will process events coming only from the specified sources\",\"items\":{\"type\":\"string\"}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"allow\":{\"$ref\":\"#/definitions/_check\"},\"normalize\":{\"type\":\"array\",\"description\":\"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].\",\"minItems\":1,\"items\":{\"$ref\":\"#/definitions/_normalizeBlock\"}},\"outputs\":{\"type\":\"array\",\"description\":\"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.\",\"minItems\":1},\"definitions\":{\"type\":\"object\",\"description\":\"Variable definitions, used to define variables that can be reused in other parts of the item\",\"minProperties\":1},\"parse\":{\"$ref\":\"#/definitions/_parse\"}},\"definitions\":{\"_check\":{\"oneOf\":[{\"type\":\"array\",\"description\":\"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.\",\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]},\"minItems\":1},{\"type\":\"string\",\"description\":\"Check conditional expression, the expression must be valuated to true in order to further process events with this asset\"}]},\"_logpar\":{\"type\":\"array\",\"description\":\"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"_parse\":{\"type\":\"object\",\"description\":\"Parse the event using the specified parser engine. Suports `logpar` parser.\",\"additionalProperties\":false,\"minProperties\":1,\"properties\":{\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}},\"_normalizeBlock\":{\"type\":\"object\",\"description\":\"Never shown\",\"minItems\":1,\"additionalProperties\":true,\"properties\":{\"map\":{\"description\":\"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.\",\"type\":\"array\",\"minItems\":2,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}}}}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/new-asset", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/new-asset', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/new-asset', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'schema/new-asset' could not be obtained from store: File '/var/ossec/engine/store/schema/new-asset' does not exist"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/new-asset', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/new-asset', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"schema/new-asset/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Create a policy using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/newpolicy", "format": "json" } }, { "command": "router", "subcommand": "post", "parameters": { "type": "policy", "format": "json", "content": "{\"name\":\"policy/custom/0\",\"integrations\":[\"integration/wazuh-core/1\"]}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/newpolicy", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'policy/newpolicy' could not be obtained from store: File '/var/ossec/engine/store/policy/newpolicy' does not exist"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"policy/newpolicy/0","integrations":["integration/wazuh-core/1"]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"policy/newpolicy/0","integrations":["integration/wazuh-core/1"]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"policy/newpolicy/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Create an output using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/newoutput", "format": "json" } }, { "command": "router", "subcommand": "post", "parameters": { "type": "output", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\"},\"compatibility\":\"This decoder has been tested on Wazuh version 4.4\\n\",\"description\":\"Output events to a file\",\"title\":\"file output event\"},\"name\":\"output/newoutput/0\",\"outputs\":[{\"file\":{\"path\":\"/var/ossec/logs/alerts/alerts-ECS.json\"}}]}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/newoutput", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'output/newoutput' could not be obtained from store: File '/var/ossec/engine/store/output/newoutput' does not exist"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'output', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'output', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"output/newoutput/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Create a filter using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/new-filter", "format": "json" } }, { "command": "catalog", "subcommand": "post", "parameters": { "type": "filter", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2023/11/08\",\"name\":\"Wazuh, Inc.\",\"url\":\"https://wazuh.com\"},\"description\":\"Default filter to allow all events (for default ruleset)\"},\"name\":\"filter/new-filter/0\"}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/new-filter", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'filter/new-filter' could not be obtained from store: File '/var/ossec/engine/store/filter/new-filter' does not exist"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'filter', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/0"}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'filter', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/0"}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"filter/new-filter/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Create an item providing a wrong type :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "post", "parameters": { "type": "policy", "format": "json", "content": "{\"name\":\"decoder/adecoder/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } } ] ``` > Try to add a decoder when a policy it's expected 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"decoder/adecoder/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"decoder/adecoder/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"ERROR","error":"Invalid content name 'decoder/adecoder/0' for collection 'policy'"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario 11: catalog - create an already existing item

Create an already item using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/custom/0", "format": "json" } }, { "command": "router", "subcommand": "post", "parameters": { "type": "decoder", "format": "json", "content": "{\"name\":\"decoder/custom/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } } ] ``` > Try to create a decoder that already exists 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/custom/0', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/custom/0', 'format': 'json'}} Response: {"data":{"status":"OK","content":"{\"name\":\"decoder/custom/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/custom/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/custom/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/custom/0' could not be added to store: File '/var/ossec/engine/store/decoder/custom/0' already exists"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario 12: catalog - create a non-existing item type

Create a non-existing item type using json format :yellow_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "router", "subcommand": "post", "parameters": { "type": "none", "format": "json", "content": "{\"name\":\"decoder/custom/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } } ] ``` > Try to create a decoder that already exists 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'none', 'format': 'json', 'content': '{"name":"decoder/custom/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'none', 'format': 'json', 'content': '{"name":"decoder/custom/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"ERROR","error":"Missing /type parameter or is invalid"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > The error is the same that if you do not provde the `type` parameter. > It could be improved like X type is not supported/expected or something like that.
roronoasins commented 1 year ago

Scenario Outline 13: catalog - delete a loaded item

Delete all decoders :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "decoder" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"decoder/sophos-antivirus\",\"decoder/sophos-cfilter\",\"decoder/sophos-atp\",\"decoder/sophos-utm\",\"decoder/aws-s3\",\"decoder/custom-json\",\"decoder/sophos-idp\",\"decoder/f5-afm\",\"decoder/fortinet-client-endpoint\",\"decoder/postgresql-csv\",\"decoder/redis\",\"decoder/sophos-wifi\",\"decoder/fortinet-fortimanager\",\"decoder/nginx-access\",\"decoder/nginx-access-base\",\"decoder/sophos-antispam\",\"decoder/custom2\",\"decoder/nginx-error\",\"decoder/postgresql-csv-msg-parse\",\"decoder/sophos-event\",\"decoder/syslog\",\"decoder/sonicwall-firewall\",\"decoder/aws-cloudtrail\",\"decoder/aws\",\"decoder/fortinet-fortimail\",\"decoder/sophos-waf\",\"decoder/sophos-firewall\",\"decoder/sophos-systemhealth\",\"decoder/custom\",\"decoder/fortinet-firewall\",\"decoder/f5-apm\",\"decoder/sophos-sandstorn\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'decoder'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'decoder'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder' could not be obtained from store: File '/var/ossec/engine/store/decoder' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete all schemas :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "schema" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"schema/wazuh-logpar-types\",\"schema/wazuh-asset\",\"schema/new-asset\",\"schema/wazuh-policy\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'schema'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'schema'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'schema' could not be obtained from store: File '/var/ossec/engine/store/schema' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete all policies :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "policy" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"policy/wazuh\",\"policy/newpolicy\",\"policy/custom\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'policy'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'policy'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'policy' could not be obtained from store: File '/var/ossec/engine/store/policy' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete all outputs :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "output", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "output" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "output", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"output/newoutput\",\"output/file-output\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'output'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'output'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'output' could not be obtained from store: File '/var/ossec/engine/store/output' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete all filters :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "filter" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"filter/allow-all\",\"filter/new-filter\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'filter'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'filter'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'filter' could not be obtained from store: File '/var/ossec/engine/store/filter' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 14: catalog - delete a loaded item id

Delete a decoder :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "router", "subcommand": "post", "parameters": { "type": "decoder", "format": "json", "content": "{\"name\":\"decoder/newdecoder/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "decoder/newdecoder" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/newdecoder", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'decoder/newdecoder'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'decoder/newdecoder'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/newdecoder' could not be obtained from store: File '/var/ossec/engine/store/decoder/newdecoder' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a schema :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "post", "parameters": { "type": "schema", "format": "json", "content": "{\"$schema\":\"http://json-schema.org/draft-07/schema#\",\"$id\":\"wazuh-asset.json\",\"name\":\"schema/new-asset/0\",\"title\":\"Schema for Wazuh assets\",\"type\":\"object\",\"description\":\"Schema for Wazuh assets\",\"additionalProperties\":false,\"required\":[\"name\",\"metadata\"],\"anyOf\":[{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"parse\"]},{\"required\":[\"normalize\"]}],\"not\":{\"anyOf\":[{\"required\":[\"allow\"]},{\"required\":[\"outputs\"]}]}},{\"required\":[\"outputs\"],\"not\":{\"anyOf\":[{\"required\":[\"normalize\"]},{\"required\":[\"parse\"]}]}},{\"required\":[\"allow\",\"sources\"],\"not\":{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"normalize\"]}]}}],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name of the asset, short and concise name to identify this asset\",\"pattern\":\"^[^/]+/[^/]+/[^/]+$\"},\"metadata\":{\"type\":\"object\",\"description\":\"Metadata of this item\",\"additionalProperties\":false,\"required\":[\"module\",\"title\",\"description\",\"compatibility\",\"versions\",\"author\",\"references\"],\"properties\":{\"module\":{\"type\":\"string\",\"description\":\"The module this item belongs to\"},\"title\":{\"type\":\"string\",\"description\":\"Short and concise description of this item\"},\"description\":{\"type\":\"string\",\"description\":\"Long description of this item, explaining what it does and how it works\"},\"compatibility\":{\"type\":\"string\",\"description\":\"Description of the supported services and versions of the logs processed by this item\"},\"versions\":{\"type\":\"array\",\"description\":\"A list of the service versions supported\",\"items\":{\"type\":\"string\"}},\"author\":{\"type\":\"object\",\"description\":\"Author\",\"additionalProperties\":false,\"required\":[\"name\",\"date\"],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name/Organization\"},\"email\":{\"type\":\"string\",\"description\":\"Email\"},\"url\":{\"type\":\"string\",\"description\":\"URL linking to the author's website\"},\"date\":{\"type\":\"string\",\"description\":\"Date of the author\"}}},\"references\":{\"type\":\"array\",\"description\":\"References to external resources\"}}},\"sources\":{\"type\":\"array\",\"description\":\"This asset will process events coming only from the specified sources\",\"items\":{\"type\":\"string\"}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"allow\":{\"$ref\":\"#/definitions/_check\"},\"normalize\":{\"type\":\"array\",\"description\":\"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].\",\"minItems\":1,\"items\":{\"$ref\":\"#/definitions/_normalizeBlock\"}},\"outputs\":{\"type\":\"array\",\"description\":\"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.\",\"minItems\":1},\"definitions\":{\"type\":\"object\",\"description\":\"Variable definitions, used to define variables that can be reused in other parts of the item\",\"minProperties\":1},\"parse\":{\"$ref\":\"#/definitions/_parse\"}},\"definitions\":{\"_check\":{\"oneOf\":[{\"type\":\"array\",\"description\":\"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.\",\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]},\"minItems\":1},{\"type\":\"string\",\"description\":\"Check conditional expression, the expression must be valuated to true in order to further process events with this asset\"}]},\"_logpar\":{\"type\":\"array\",\"description\":\"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"_parse\":{\"type\":\"object\",\"description\":\"Parse the event using the specified parser engine. Suports `logpar` parser.\",\"additionalProperties\":false,\"minProperties\":1,\"properties\":{\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}},\"_normalizeBlock\":{\"type\":\"object\",\"description\":\"Never shown\",\"minItems\":1,\"additionalProperties\":true,\"properties\":{\"map\":{\"description\":\"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.\",\"type\":\"array\",\"minItems\":2,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}}}}" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "schema/new-asset" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/new-asset", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'schema/new-asset'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'schema/new-asset'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/new-asset', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/new-asset', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/new-asset' could not be obtained from store: File '/var/ossec/engine/store/decoder/new-asset' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a policy :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "router", "subcommand": "post", "parameters": { "type": "policy", "format": "json", "content": "{\"name\":\"policy/newpolicy/0\",\"integrations\":[\"integration/wazuh-core/1\"]}" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "policy/newpolicy" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/newpolicy", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"policy/newpolicy/0","integrations":["integration/wazuh-core/1"]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"policy/newpolicy/0","integrations":["integration/wazuh-core/1"]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'policy/newpolicy'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'policy/newpolicy'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'policy/newpolicy' could not be obtained from store: File '/var/ossec/engine/store/policy/newpolicy' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete an output :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "router", "subcommand": "post", "parameters": { "type": "output", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\"},\"compatibility\":\"This decoder has been tested on Wazuh version 4.4\\n\",\"description\":\"Output events to a file\",\"title\":\"file output event\"},\"name\":\"output/newoutput/0\",\"outputs\":[{\"file\":{\"path\":\"/var/ossec/logs/alerts/alerts-ECS.json\"}}]}" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "output/newoutput" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/newoutput", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'output', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'output', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'output/newoutput'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'output/newoutput'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'output/newoutput' could not be obtained from store: File '/var/ossec/engine/store/output/newoutput' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a filter :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "post", "parameters": { "type": "filter", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2023/11/08\",\"name\":\"Wazuh, Inc.\",\"url\":\"https://wazuh.com\"},\"description\":\"Default filter to allow all events (for default ruleset)\"},\"name\":\"filter/new-filter/0\"}" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "filter/new-filter" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/new-filter", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'post', 'parameters': {'type': 'filter', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/0"}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'filter', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/0"}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'filter/new-filter'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'filter/new-filter'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Response: {"data":{"status":"ERROR","error":"Content 'filter/new-filter' could not be obtained from store: File '/var/ossec/engine/store/filter/new-filter' does not exist"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 15: catalog - delete a loaded item version

Delete a decoder's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "router", "subcommand": "post", "parameters": { "type": "decoder", "format": "json", "content": "{\"name\":\"decoder/newdecoder/0\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } }, { "command": "router", "subcommand": "post", "parameters": { "type": "decoder", "format": "json", "content": "{\"name\":\"decoder/newdecoder/1\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/newdecoder", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "decoder/newdecoder/1" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "decoder/newdecoder", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/0","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/1","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/1","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"decoder/newdecoder/0\",\"decoder/newdecoder/1\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'decoder/newdecoder/1'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'decoder/newdecoder/1'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'decoder/newdecoder', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"decoder/newdecoder/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a schema's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "post", "parameters": { "type": "schema", "format": "json", "content": "{\"$schema\":\"http://json-schema.org/draft-07/schema#\",\"$id\":\"wazuh-asset.json\",\"name\":\"schema/new-asset/0\",\"title\":\"Schema for Wazuh assets\",\"type\":\"object\",\"description\":\"Schema for Wazuh assets\",\"additionalProperties\":false,\"required\":[\"name\",\"metadata\"],\"anyOf\":[{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"parse\"]},{\"required\":[\"normalize\"]}],\"not\":{\"anyOf\":[{\"required\":[\"allow\"]},{\"required\":[\"outputs\"]}]}},{\"required\":[\"outputs\"],\"not\":{\"anyOf\":[{\"required\":[\"normalize\"]},{\"required\":[\"parse\"]}]}},{\"required\":[\"allow\",\"sources\"],\"not\":{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"normalize\"]}]}}],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name of the asset, short and concise name to identify this asset\",\"pattern\":\"^[^/]+/[^/]+/[^/]+$\"},\"metadata\":{\"type\":\"object\",\"description\":\"Metadata of this item\",\"additionalProperties\":false,\"required\":[\"module\",\"title\",\"description\",\"compatibility\",\"versions\",\"author\",\"references\"],\"properties\":{\"module\":{\"type\":\"string\",\"description\":\"The module this item belongs to\"},\"title\":{\"type\":\"string\",\"description\":\"Short and concise description of this item\"},\"description\":{\"type\":\"string\",\"description\":\"Long description of this item, explaining what it does and how it works\"},\"compatibility\":{\"type\":\"string\",\"description\":\"Description of the supported services and versions of the logs processed by this item\"},\"versions\":{\"type\":\"array\",\"description\":\"A list of the service versions supported\",\"items\":{\"type\":\"string\"}},\"author\":{\"type\":\"object\",\"description\":\"Author\",\"additionalProperties\":false,\"required\":[\"name\",\"date\"],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name/Organization\"},\"email\":{\"type\":\"string\",\"description\":\"Email\"},\"url\":{\"type\":\"string\",\"description\":\"URL linking to the author's website\"},\"date\":{\"type\":\"string\",\"description\":\"Date of the author\"}}},\"references\":{\"type\":\"array\",\"description\":\"References to external resources\"}}},\"sources\":{\"type\":\"array\",\"description\":\"This asset will process events coming only from the specified sources\",\"items\":{\"type\":\"string\"}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"allow\":{\"$ref\":\"#/definitions/_check\"},\"normalize\":{\"type\":\"array\",\"description\":\"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].\",\"minItems\":1,\"items\":{\"$ref\":\"#/definitions/_normalizeBlock\"}},\"outputs\":{\"type\":\"array\",\"description\":\"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.\",\"minItems\":1},\"definitions\":{\"type\":\"object\",\"description\":\"Variable definitions, used to define variables that can be reused in other parts of the item\",\"minProperties\":1},\"parse\":{\"$ref\":\"#/definitions/_parse\"}},\"definitions\":{\"_check\":{\"oneOf\":[{\"type\":\"array\",\"description\":\"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.\",\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]},\"minItems\":1},{\"type\":\"string\",\"description\":\"Check conditional expression, the expression must be valuated to true in order to further process events with this asset\"}]},\"_logpar\":{\"type\":\"array\",\"description\":\"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"_parse\":{\"type\":\"object\",\"description\":\"Parse the event using the specified parser engine. Suports `logpar` parser.\",\"additionalProperties\":false,\"minProperties\":1,\"properties\":{\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}},\"_normalizeBlock\":{\"type\":\"object\",\"description\":\"Never shown\",\"minItems\":1,\"additionalProperties\":true,\"properties\":{\"map\":{\"description\":\"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.\",\"type\":\"array\",\"minItems\":2,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}}}}" } }, { "command": "catalog", "subcommand": "post", "parameters": { "type": "schema", "format": "json", "content": "{\"$schema\":\"http://json-schema.org/draft-07/schema#\",\"$id\":\"wazuh-asset.json\",\"name\":\"schema/new-asset/1\",\"title\":\"Schema for Wazuh assets\",\"type\":\"object\",\"description\":\"Schema for Wazuh assets\",\"additionalProperties\":false,\"required\":[\"name\",\"metadata\"],\"anyOf\":[{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"parse\"]},{\"required\":[\"normalize\"]}],\"not\":{\"anyOf\":[{\"required\":[\"allow\"]},{\"required\":[\"outputs\"]}]}},{\"required\":[\"outputs\"],\"not\":{\"anyOf\":[{\"required\":[\"normalize\"]},{\"required\":[\"parse\"]}]}},{\"required\":[\"allow\",\"sources\"],\"not\":{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"normalize\"]}]}}],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name of the asset, short and concise name to identify this asset\",\"pattern\":\"^[^/]+/[^/]+/[^/]+$\"},\"metadata\":{\"type\":\"object\",\"description\":\"Metadata of this item\",\"additionalProperties\":false,\"required\":[\"module\",\"title\",\"description\",\"compatibility\",\"versions\",\"author\",\"references\"],\"properties\":{\"module\":{\"type\":\"string\",\"description\":\"The module this item belongs to\"},\"title\":{\"type\":\"string\",\"description\":\"Short and concise description of this item\"},\"description\":{\"type\":\"string\",\"description\":\"Long description of this item, explaining what it does and how it works\"},\"compatibility\":{\"type\":\"string\",\"description\":\"Description of the supported services and versions of the logs processed by this item\"},\"versions\":{\"type\":\"array\",\"description\":\"A list of the service versions supported\",\"items\":{\"type\":\"string\"}},\"author\":{\"type\":\"object\",\"description\":\"Author\",\"additionalProperties\":false,\"required\":[\"name\",\"date\"],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name/Organization\"},\"email\":{\"type\":\"string\",\"description\":\"Email\"},\"url\":{\"type\":\"string\",\"description\":\"URL linking to the author's website\"},\"date\":{\"type\":\"string\",\"description\":\"Date of the author\"}}},\"references\":{\"type\":\"array\",\"description\":\"References to external resources\"}}},\"sources\":{\"type\":\"array\",\"description\":\"This asset will process events coming only from the specified sources\",\"items\":{\"type\":\"string\"}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"allow\":{\"$ref\":\"#/definitions/_check\"},\"normalize\":{\"type\":\"array\",\"description\":\"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].\",\"minItems\":1,\"items\":{\"$ref\":\"#/definitions/_normalizeBlock\"}},\"outputs\":{\"type\":\"array\",\"description\":\"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.\",\"minItems\":1},\"definitions\":{\"type\":\"object\",\"description\":\"Variable definitions, used to define variables that can be reused in other parts of the item\",\"minProperties\":1},\"parse\":{\"$ref\":\"#/definitions/_parse\"}},\"definitions\":{\"_check\":{\"oneOf\":[{\"type\":\"array\",\"description\":\"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.\",\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]},\"minItems\":1},{\"type\":\"string\",\"description\":\"Check conditional expression, the expression must be valuated to true in order to further process events with this asset\"}]},\"_logpar\":{\"type\":\"array\",\"description\":\"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"_parse\":{\"type\":\"object\",\"description\":\"Parse the event using the specified parser engine. Suports `logpar` parser.\",\"additionalProperties\":false,\"minProperties\":1,\"properties\":{\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}},\"_normalizeBlock\":{\"type\":\"object\",\"description\":\"Never shown\",\"minItems\":1,\"additionalProperties\":true,\"properties\":{\"map\":{\"description\":\"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.\",\"type\":\"array\",\"minItems\":2,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}}}}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/new-asset", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "schema/new-asset/1" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "schema/new-asset", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Response: {"data":{"status":"ERROR","error":"Content 'schema/new-asset/0' could not be added to store: File '/var/ossec/engine/store/schema/new-asset/0' already exists"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/1","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/1","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/new-asset', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/new-asset', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"schema/new-asset/0\",\"schema/new-asset/1\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'schema/new-asset/1'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'schema/new-asset/1'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'schema/new-asset', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'schema/new-asset', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"schema/new-asset/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a policy's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "router", "subcommand": "post", "parameters": { "type": "policy", "format": "json", "content": "{\"name\":\"policy/newpolicy/0\",\"integrations\":[\"integration/wazuh-core/1\"]}" } }, { "command": "router", "subcommand": "post", "parameters": { "type": "policy", "format": "json", "content": "{\"name\":\"policy/newpolicy/1\",\"integrations\":[\"integration/wazuh-core/1\"]}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/newpolicy", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "policy/newpolicy/1" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "policy/newpolicy", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"policy/newpolicy/0","integrations":["integration/wazuh-core/1"]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"policy/newpolicy/0","integrations":["integration/wazuh-core/1"]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"policy/newpolicy/1","integrations":["integration/wazuh-core/1"]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'policy', 'format': 'json', 'content': '{"name":"policy/newpolicy/1","integrations":["integration/wazuh-core/1"]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"policy/newpolicy/0\",\"policy/newpolicy/1\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'policy/newpolicy/1'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'policy/newpolicy/1'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'policy/newpolicy', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"policy/newpolicy/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete an output's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "router", "subcommand": "post", "parameters": { "type": "output", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\"},\"compatibility\":\"This decoder has been tested on Wazuh version 4.4\\n\",\"description\":\"Output events to a file\",\"title\":\"file output event\"},\"name\":\"output/newoutput/0\",\"outputs\":[{\"file\":{\"path\":\"/var/ossec/logs/alerts/alerts-ECS.json\"}}]}" } }, { "command": "router", "subcommand": "post", "parameters": { "type": "output", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\"},\"compatibility\":\"This decoder has been tested on Wazuh version 4.4\\n\",\"description\":\"Output events to a file\",\"title\":\"file output event\"},\"name\":\"output/newoutput/1\",\"outputs\":[{\"file\":{\"path\":\"/var/ossec/logs/alerts/alerts-ECS.json\"}}]}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/newoutput", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "output/newoutput/1" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "output/newoutput", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'output', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'output', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'router', 'subcommand': 'post', 'parameters': {'type': 'output', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/1","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'output', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/1","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"output/newoutput/0\",\"output/newoutput/1\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'output/newoutput/1'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'output/newoutput/1'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'output/newoutput', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"output/newoutput/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a filter's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "post", "parameters": { "type": "filter", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2023/11/08\",\"name\":\"Wazuh, Inc.\",\"url\":\"https://wazuh.com\"},\"description\":\"Default filter to allow all events (for default ruleset)\"},\"name\":\"filter/new-filter/0\"}" } }, { "command": "catalog", "subcommand": "post", "parameters": { "type": "filter", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2023/11/08\",\"name\":\"Wazuh, Inc.\",\"url\":\"https://wazuh.com\"},\"description\":\"Default filter to allow all events (for default ruleset)\"},\"name\":\"filter/new-filter/1\"}" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/new-filter", "format": "json" } }, { "command": "catalog", "subcommand": "delete", "parameters": { "name": "filter/new-filter/1" } }, { "command": "catalog", "subcommand": "get", "parameters": { "name": "filter/new-filter", "format": "json" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'post', 'parameters': {'type': 'filter', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/0"}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'filter', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/0"}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'post', 'parameters': {'type': 'filter', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/1"}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'filter', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/1"}'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"filter/new-filter/0\",\"filter/new-filter/1\"]"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'filter/new-filter/1'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'filter/new-filter/1'}} Response: {"data":{"status":"OK"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/get', 'parameters': {'name': 'filter/new-filter', 'format': 'json'}} Response: {"data":{"status":"OK","content":"[\"filter/new-filter/0\"]"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
roronoasins commented 1 year ago

Scenario Outline 16: catalog - delete a non-existing item

Delete a non-existing decoder :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "decoder/none" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'decoder/none'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'decoder/none'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/none' could not be deleted from store: File '/var/ossec/engine/store/decoder/none' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a non-existing schema :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "schema/none-asset" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'schema/none-asset'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'schema/none-asset'}} Response: {"data":{"status":"ERROR","error":"Content 'schema/none-asset' could not be deleted from store: File '/var/ossec/engine/store/schema/none-asset' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a non-existing policy :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "policy/nonepolicy" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'policy/nonepolicy'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'policy/nonepolicy'}} Response: {"data":{"status":"ERROR","error":"Content 'policy/nonepolicy' could not be deleted from store: File '/var/ossec/engine/store/policy/nonepolicy' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a non-existing output :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "output/nooutput" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'output/nooutput'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'output/nooutput'}} Response: {"data":{"status":"ERROR","error":"Content 'output/nooutput' could not be deleted from store: File '/var/ossec/engine/store/output/nooutput' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a non-existing filter :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "filter/no-filter" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'filter/no-filter'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'filter/no-filter'}} Response: {"data":{"status":"ERROR","error":"Content 'filter/no-filter' could not be deleted from store: File '/var/ossec/engine/store/filter/no-filter' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 17: catalog - delete a non-existing item version

Delete a non-existing decoder's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "decoder/wazuh-integrations/3" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'decoder/wazuh-integrations/3'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'decoder/wazuh-integrations/3'}} Response: {"data":{"status":"ERROR","error":"Content 'decoder/wazuh-integrations/3' could not be deleted from store: File '/var/ossec/engine/store/decoder/wazuh-integrations/3' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a non-existing schema's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "schema/wazuh-asset/1" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'schema/wazuh-asset/1'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'schema/wazuh-asset/1'}} Response: {"data":{"status":"ERROR","error":"Content 'schema/wazuh-asset/1' could not be deleted from store: File '/var/ossec/engine/store/schema/wazuh-asset/1' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a non-existing policy's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "policy/wazuh/1" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'policy/wazuh/1'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'policy/wazuh/1'}} Response: {"data":{"status":"ERROR","error":"Content 'policy/wazuh/1' could not be deleted from store: File '/var/ossec/engine/store/policy/wazuh/1' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a non-existing output's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "output/file-output/31" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'output/file-output/31'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'output/file-output/31'}} Response: {"data":{"status":"ERROR","error":"Content 'output/file-output/31' could not be deleted from store: File '/var/ossec/engine/store/output/file-output/31' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Delete a non-existing filter's version :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "filter/new-filter/1" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'filter/new-filter/1'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'filter/new-filter/1'}} Response: {"data":{"status":"ERROR","error":"Content 'filter/new-filter/1' could not be deleted from store: File '/var/ossec/engine/store/filter/new-filter/1' does not exist"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario 18: use a not valid name parameter format

Use a not valid name parameter format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "delete", "parameters": { "name": "filter/new-filter/1/noexpected" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'delete', 'parameters': {'name': 'filter/new-filter/1/noexpected'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/delete', 'parameters': {'name': 'filter/new-filter/1/noexpected'}} Response: {"data":{"status":"ERROR","error":"Invalid name \"filter/new-filter/1/noexpected\" received, a name with 1, 2 or 3 parts was expected"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
roronoasins commented 1 year ago

Scenario Outline 19: catalog - validate a item type with valid syntax

Validate a decoder using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "validate", "parameters": { "name": "decoder/custom/7", "format": "json", "content": "{\"name\":\"decoder/newdecoder/7\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"OK"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Validate a schema using json format :yellow_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "validate", "parameters": { "name": "schema/new-asset/0", "format": "json", "content": "{\"$schema\":\"http://json-schema.org/draft-07/schema#\",\"$id\":\"wazuh-asset.json\",\"name\":\"schema/new-asset/0\",\"title\":\"Schema for Wazuh assets\",\"type\":\"object\",\"description\":\"Schema for Wazuh assets\",\"additionalProperties\":false,\"required\":[\"name\",\"metadata\"],\"anyOf\":[{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"parse\"]},{\"required\":[\"normalize\"]}],\"not\":{\"anyOf\":[{\"required\":[\"allow\"]},{\"required\":[\"outputs\"]}]}},{\"required\":[\"outputs\"],\"not\":{\"anyOf\":[{\"required\":[\"normalize\"]},{\"required\":[\"parse\"]}]}},{\"required\":[\"allow\",\"sources\"],\"not\":{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"normalize\"]}]}}],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name of the asset, short and concise name to identify this asset\",\"pattern\":\"^[^/]+/[^/]+/[^/]+$\"},\"metadata\":{\"type\":\"object\",\"description\":\"Metadata of this item\",\"additionalProperties\":false,\"required\":[\"module\",\"title\",\"description\",\"compatibility\",\"versions\",\"author\",\"references\"],\"properties\":{\"module\":{\"type\":\"string\",\"description\":\"The module this item belongs to\"},\"title\":{\"type\":\"string\",\"description\":\"Short and concise description of this item\"},\"description\":{\"type\":\"string\",\"description\":\"Long description of this item, explaining what it does and how it works\"},\"compatibility\":{\"type\":\"string\",\"description\":\"Description of the supported services and versions of the logs processed by this item\"},\"versions\":{\"type\":\"array\",\"description\":\"A list of the service versions supported\",\"items\":{\"type\":\"string\"}},\"author\":{\"type\":\"object\",\"description\":\"Author\",\"additionalProperties\":false,\"required\":[\"name\",\"date\"],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name/Organization\"},\"email\":{\"type\":\"string\",\"description\":\"Email\"},\"url\":{\"type\":\"string\",\"description\":\"URL linking to the author's website\"},\"date\":{\"type\":\"string\",\"description\":\"Date of the author\"}}},\"references\":{\"type\":\"array\",\"description\":\"References to external resources\"}}},\"sources\":{\"type\":\"array\",\"description\":\"This asset will process events coming only from the specified sources\",\"items\":{\"type\":\"string\"}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"allow\":{\"$ref\":\"#/definitions/_check\"},\"normalize\":{\"type\":\"array\",\"description\":\"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].\",\"minItems\":1,\"items\":{\"$ref\":\"#/definitions/_normalizeBlock\"}},\"outputs\":{\"type\":\"array\",\"description\":\"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.\",\"minItems\":1},\"definitions\":{\"type\":\"object\",\"description\":\"Variable definitions, used to define variables that can be reused in other parts of the item\",\"minProperties\":1},\"parse\":{\"$ref\":\"#/definitions/_parse\"}},\"definitions\":{\"_check\":{\"oneOf\":[{\"type\":\"array\",\"description\":\"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.\",\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]},\"minItems\":1},{\"type\":\"string\",\"description\":\"Check conditional expression, the expression must be valuated to true in order to further process events with this asset\"}]},\"_logpar\":{\"type\":\"array\",\"description\":\"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"_parse\":{\"type\":\"object\",\"description\":\"Parse the event using the specified parser engine. Suports `logpar` parser.\",\"additionalProperties\":false,\"minProperties\":1,\"properties\":{\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}},\"_normalizeBlock\":{\"type\":\"object\",\"description\":\"Never shown\",\"minItems\":1,\"additionalProperties\":true,\"properties\":{\"map\":{\"description\":\"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.\",\"type\":\"array\",\"minItems\":2,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}}}}" } }, { "command": "catalog", "subcommand": "post", "parameters": { "type": "schema", "format": "json", "content": "{\"$schema\":\"http://json-schema.org/draft-07/schema#\",\"$id\":\"wazuh-asset.json\",\"name\":\"schema/new-asset/0\",\"title\":\"Schema for Wazuh assets\",\"type\":\"object\",\"description\":\"Schema for Wazuh assets\",\"additionalProperties\":false,\"required\":[\"name\",\"metadata\"],\"anyOf\":[{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"parse\"]},{\"required\":[\"normalize\"]}],\"not\":{\"anyOf\":[{\"required\":[\"allow\"]},{\"required\":[\"outputs\"]}]}},{\"required\":[\"outputs\"],\"not\":{\"anyOf\":[{\"required\":[\"normalize\"]},{\"required\":[\"parse\"]}]}},{\"required\":[\"allow\",\"sources\"],\"not\":{\"anyOf\":[{\"required\":[\"check\"]},{\"required\":[\"normalize\"]}]}}],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name of the asset, short and concise name to identify this asset\",\"pattern\":\"^[^/]+/[^/]+/[^/]+$\"},\"metadata\":{\"type\":\"object\",\"description\":\"Metadata of this item\",\"additionalProperties\":false,\"required\":[\"module\",\"title\",\"description\",\"compatibility\",\"versions\",\"author\",\"references\"],\"properties\":{\"module\":{\"type\":\"string\",\"description\":\"The module this item belongs to\"},\"title\":{\"type\":\"string\",\"description\":\"Short and concise description of this item\"},\"description\":{\"type\":\"string\",\"description\":\"Long description of this item, explaining what it does and how it works\"},\"compatibility\":{\"type\":\"string\",\"description\":\"Description of the supported services and versions of the logs processed by this item\"},\"versions\":{\"type\":\"array\",\"description\":\"A list of the service versions supported\",\"items\":{\"type\":\"string\"}},\"author\":{\"type\":\"object\",\"description\":\"Author\",\"additionalProperties\":false,\"required\":[\"name\",\"date\"],\"properties\":{\"name\":{\"type\":\"string\",\"description\":\"Name/Organization\"},\"email\":{\"type\":\"string\",\"description\":\"Email\"},\"url\":{\"type\":\"string\",\"description\":\"URL linking to the author's website\"},\"date\":{\"type\":\"string\",\"description\":\"Date of the author\"}}},\"references\":{\"type\":\"array\",\"description\":\"References to external resources\"}}},\"sources\":{\"type\":\"array\",\"description\":\"This asset will process events coming only from the specified sources\",\"items\":{\"type\":\"string\"}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"allow\":{\"$ref\":\"#/definitions/_check\"},\"normalize\":{\"type\":\"array\",\"description\":\"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].\",\"minItems\":1,\"items\":{\"$ref\":\"#/definitions/_normalizeBlock\"}},\"outputs\":{\"type\":\"array\",\"description\":\"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.\",\"minItems\":1},\"definitions\":{\"type\":\"object\",\"description\":\"Variable definitions, used to define variables that can be reused in other parts of the item\",\"minProperties\":1},\"parse\":{\"$ref\":\"#/definitions/_parse\"}},\"definitions\":{\"_check\":{\"oneOf\":[{\"type\":\"array\",\"description\":\"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.\",\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]},\"minItems\":1},{\"type\":\"string\",\"description\":\"Check conditional expression, the expression must be valuated to true in order to further process events with this asset\"}]},\"_logpar\":{\"type\":\"array\",\"description\":\"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.\",\"minItems\":1,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"_parse\":{\"type\":\"object\",\"description\":\"Parse the event using the specified parser engine. Suports `logpar` parser.\",\"additionalProperties\":false,\"minProperties\":1,\"properties\":{\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}},\"_normalizeBlock\":{\"type\":\"object\",\"description\":\"Never shown\",\"minItems\":1,\"additionalProperties\":true,\"properties\":{\"map\":{\"description\":\"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.\",\"type\":\"array\",\"minItems\":2,\"items\":{\"allOf\":[{\"$ref\":\"fields.json#\"},{\"maxProperties\":1}]}},\"check\":{\"$ref\":\"#/definitions/_check\"},\"logpar\":{\"$ref\":\"#/definitions/_logpar\"}}}}}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'validate', 'parameters': {'name': 'schema/new-asset/0', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'schema/new-asset/0', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Response: {"data":{"status":"ERROR","error":"Invalid resource type 'schema' for VALIDATE operation"},"error":0} --------- Case: {'command': 'catalog', 'subcommand': 'post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/post', 'parameters': {'type': 'schema', 'format': 'json', 'content': '{"$schema":"http://json-schema.org/draft-07/schema#","$id":"wazuh-asset.json","name":"schema/new-asset/0","title":"Schema for Wazuh assets","type":"object","description":"Schema for Wazuh assets","additionalProperties":false,"required":["name","metadata"],"anyOf":[{"anyOf":[{"required":["check"]},{"required":["parse"]},{"required":["normalize"]}],"not":{"anyOf":[{"required":["allow"]},{"required":["outputs"]}]}},{"required":["outputs"],"not":{"anyOf":[{"required":["normalize"]},{"required":["parse"]}]}},{"required":["allow","sources"],"not":{"anyOf":[{"required":["check"]},{"required":["normalize"]}]}}],"properties":{"name":{"type":"string","description":"Name of the asset, short and concise name to identify this asset","pattern":"^[^/]+/[^/]+/[^/]+$"},"metadata":{"type":"object","description":"Metadata of this item","additionalProperties":false,"required":["module","title","description","compatibility","versions","author","references"],"properties":{"module":{"type":"string","description":"The module this item belongs to"},"title":{"type":"string","description":"Short and concise description of this item"},"description":{"type":"string","description":"Long description of this item, explaining what it does and how it works"},"compatibility":{"type":"string","description":"Description of the supported services and versions of the logs processed by this item"},"versions":{"type":"array","description":"A list of the service versions supported","items":{"type":"string"}},"author":{"type":"object","description":"Author","additionalProperties":false,"required":["name","date"],"properties":{"name":{"type":"string","description":"Name/Organization"},"email":{"type":"string","description":"Email"},"url":{"type":"string","description":"URL linking to the author\'s website"},"date":{"type":"string","description":"Date of the author"}}},"references":{"type":"array","description":"References to external resources"}}},"sources":{"type":"array","description":"This asset will process events coming only from the specified sources","items":{"type":"string"}},"check":{"$ref":"#/definitions/_check"},"allow":{"$ref":"#/definitions/_check"},"normalize":{"type":"array","description":"Modify the event. All operations are performed in declaration order and on best effort, this stage is a list composed of blocks, where each block can be a map [map] or a conditional map [check, map].","minItems":1,"items":{"$ref":"#/definitions/_normalizeBlock"}},"outputs":{"type":"array","description":"Outputs of the asset. All outputs are performed in declaration order and on best effort, this stage is a list composed of specific outputs types.","minItems":1},"definitions":{"type":"object","description":"Variable definitions, used to define variables that can be reused in other parts of the item","minProperties":1},"parse":{"$ref":"#/definitions/_parse"}},"definitions":{"_check":{"oneOf":[{"type":"array","description":"Check list, all conditions must be met in order to further process events with this asset, conditions are expressed as `field`: `condition`, where `field` is the field to check and `condition` can be a value, a reference or a conditional helper function.","items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]},"minItems":1},{"type":"string","description":"Check conditional expression, the expression must be valuated to true in order to further process events with this asset"}]},"_logpar":{"type":"array","description":"Try to parse a field of the event. Terminates once a parser expression matches. If no parser expression matches, this asset will not continue processing the event. Parser expressions are defined using the `field`: `logpar_expression`, where `field` is the field name and `logpar_expression` is the Logpar expression to be evaluated.","minItems":1,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"_parse":{"type":"object","description":"Parse the event using the specified parser engine. Suports `logpar` parser.","additionalProperties":false,"minProperties":1,"properties":{"logpar":{"$ref":"#/definitions/_logpar"}}},"_normalizeBlock":{"type":"object","description":"Never shown","minItems":1,"additionalProperties":true,"properties":{"map":{"description":"Modify fields on the event, an array composed of tuples with syntax `- field`: `value`, where `field` is the field to modify and `value` is the new value. If `value` is a function helper, it will be executed and the result will be used as new value if executed correctly. If `value` is a reference it will be used as new value only if the reference exists.","type":"array","minItems":2,"items":{"allOf":[{"$ref":"fields.json#"},{"maxProperties":1}]}},"check":{"$ref":"#/definitions/_check"},"logpar":{"$ref":"#/definitions/_logpar"}}}}}'}} Response: {"data":{"status":"OK"},"error":0} --------- root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > You are not able to validate schemas
Validate a policy using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "router", "subcommand": "validate", "parameters": { "name": "policy/custom/0", "format": "json", "content": "{\"name\":\"policy/custom/0\",\"integrations\":[\"integration/wazuh-core/1\"]}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'router', 'subcommand': 'validate', 'parameters': {'name': 'policy/custom/0', 'format': 'json', 'content': '{"name":"policy/custom/0","integrations":["integration/wazuh-core/1"]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'policy/custom/0', 'format': 'json', 'content': '{"name":"policy/custom/0","integrations":["integration/wazuh-core/1"]}'}} Response: {"data":{"status":"OK"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Validate an output using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "router", "subcommand": "validate", "parameters": { "name": "output/newoutput/0", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2022/11/08\",\"name\":\"Wazuh, Inc.\"},\"compatibility\":\"This decoder has been tested on Wazuh version 4.4\\n\",\"description\":\"Output events to a file\",\"title\":\"file output event\"},\"name\":\"output/newoutput/0\",\"outputs\":[{\"file\":{\"path\":\"/var/ossec/logs/alerts/alerts-ECS.json\"}}]}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'router', 'subcommand': 'validate', 'parameters': {'name': 'output/newoutput/0', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'output/newoutput/0', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2022/11/08","name":"Wazuh, Inc."},"compatibility":"This decoder has been tested on Wazuh version 4.4\\n","description":"Output events to a file","title":"file output event"},"name":"output/newoutput/0","outputs":[{"file":{"path":"/var/ossec/logs/alerts/alerts-ECS.json"}}]}'}} Response: {"data":{"status":"OK"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Validate a filter using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "validate", "parameters": { "type": "filter/new-filter/0", "format": "json", "content": "{\"metadata\":{\"author\":{\"date\":\"2023/11/08\",\"name\":\"Wazuh, Inc.\",\"url\":\"https://wazuh.com\"},\"description\":\"Default filter to allow all events (for default ruleset)\"},\"name\":\"filter/new-filter/0\"}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'validate', 'parameters': {'name': 'filter/new-filter/0', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/0"}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'filter/new-filter/0', 'format': 'json', 'content': '{"metadata":{"author":{"date":"2023/11/08","name":"Wazuh, Inc.","url":"https://wazuh.com"},"description":"Default filter to allow all events (for default ruleset)"},"name":"filter/new-filter/0"}'}} Response: {"data":{"status":"OK"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 20: catalog - validate a decoder with some missing section

Validate a decoder without name section using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "validate", "parameters": { "name": "decoder/custom/7", "format": "json", "content": "{\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"ERROR","error":"Asset 'name' field is missing"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Validate a decoder without sources section using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "validate", "parameters": { "name": "decoder/custom/7", "format": "json", "content": "{\"name\":\"decoder/newdecoder/7\",\"metadata\":{\"description\":\"Accept all\"},\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"OK"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > It is ok as the decoder only need the name to be valid since now. But now as we need the `decoder/integrations/0` parent so it can be used within routes, should it fail since it won't work?
Validate a decoder without a check section using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "validate", "parameters": { "name": "decoder/custom/7", "format": "json", "content": "{\"name\":\"decoder/newdecoder/7\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"OK"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```
Validate a decoder without a parse section using json format :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "validate", "parameters": { "name": "decoder/custom/7", "format": "json", "content": "{\"name\":\"decoder/newdecoder/7\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"OK"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 21: catalog - validate an item with non-valid formatting

Validate a collection with non-valid formatting :green_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "validate", "parameters": { "name": "decoder/custom/7", "format": "json", "content": "{\"name\":]}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'decoder/custom/7', 'format': 'json', 'content': '{"name":]}'}} Response: {"data":{"status":"ERROR","error":"Content could not be parsed to json: JSON document could not be parsed: Invalid value."},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ```

Scenario Outline 22: catalog - validate an item with wrong name parameter value

Validate an item with wrong name parameter :yellow_circle: 1. Start the manager ``` root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# systemctl start wazuh-manager.service root@engine-metrics:/home/vagrant/engine/wazuh/src/engine# ``` 2. Add the cases to the `cases.json` ```json [ { "command": "catalog", "subcommand": "validate", "parameters": { "name": "decoder", "format": "json", "content": "{\"name\":\"decoder/newdecoder/7\",\"metadata\":{\"description\":\"Accept all\"},\"sources\":[\"decoder/integrations/0\"],\"check\":\"+int_equal/wazuh.queue/51\",\"parse\":{\"logpar\":[{\"event.original\":\"hola <~test_route/text>\"}]},\"normalize\":[{\"check\":\"+exists/wazuh.queue\",\"map\":[{\"~env\":\"custom\"}]}]}" } } ] ``` 3. Run the custom script to perform the request to the API socket ``` root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# python3 test_api_endpoint.py --------- Case: {'command': 'catalog', 'subcommand': 'validate', 'parameters': {'name': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Query: {'version': 1, 'origin': {'name': 'engine', 'module': 'api'}, 'command': 'catalog.resource/validate', 'parameters': {'name': 'decoder', 'format': 'json', 'content': '{"name":"decoder/newdecoder/7","metadata":{"description":"Accept all"},"sources":["decoder/integrations/0"],"check":"+int_equal/wazuh.queue/51","parse":{"logpar":[{"event.original":"hola <~test_route/text>"}]},"normalize":[{"check":"+exists/wazuh.queue","map":[{"~env":"custom"}]}]}'}} Response: {"data":{"status":"ERROR","error":"Invalid resource type 'collection' for VALIDATE operation"},"error":0} root@engine:/media/sf_wazuh-qa/deps/wazuh_testing/wazuh_testing/modules/engine# ``` > It is a wrong log `Invalid resource type 'collection' for VALIDATE operation` > It seems like you used `collection` as name parameter value
roronoasins commented 1 year ago

Conclusion :red_circle:

After the testing, all seems good expect for some wrong behavior.

Bugs List

Improvements list

JcabreraC commented 1 year ago

We have noted the errors to correct them in the next stage of the engine catalog review.

Thanks for the review.