diff --git a/CHANGELOG.md b/CHANGELOG.md index 87570f08..95a9d18b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,26 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.10.0_7.3.2] + +### Added + +- Update to Wazuh v3.10.0 + +### Changed + +- Updated Kibana [@jm404](https://github.com/jm404) [#237](https://github.com/wazuh/wazuh-ansible/pull/237) +- Updated agent.conf template [@moodymob](https://github.com/moodymob) [#222](https://github.com/wazuh/wazuh-ansible/pull/222) +- Improved molecule tests [@rshad](https://github.com/rshad) [#223](https://github.com/wazuh/wazuh-ansible/pull/223/files) +- Moved "run_cluster_mode.sh" script to molecule folder [@jm404](https://github.com/jm404) [#a9d2c52](https://github.com/wazuh/wazuh-ansible/commit/a9d2c5201047c273c2c4fead5a54e576111da455) + +### Fixed + +- Fixed typo in the `agent.conf` template [@joey1a2b3c](https://github.com/joey1a2b3c) [#227](https://github.com/wazuh/wazuh-ansible/pull/227) +- Updated conditionals in tasks to fix Amazon Linux installation [@jm404](https://github.com/jm404) [#229](https://github.com/wazuh/wazuh-ansible/pull/229) +- Fixed Kibana installation in Amazon Linux [@jm404](https://github.com/jm404) [#232](https://github.com/wazuh/wazuh-ansible/pull/232) +- Fixed Windows Agent installation and configuration [@jm404](https://github.com/jm404) [#234](https://github.com/wazuh/wazuh-ansible/pull/234) + ## [v3.9.5_7.2.1] ### Added diff --git a/VERSION b/VERSION index 921c9fb1..2a8b969e 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-ANSIBLE_VERSION="v3.9.5" -REVISION="3950" +WAZUH-ANSIBLE_VERSION="v3.10.0" +REVISION="31000" diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 174a499f..03fe99d4 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def get_wazuh_version(): """This return the version of Wazuh.""" - return "3.9.5" + return "3.10.0" def test_wazuh_packages_are_installed(host): @@ -86,4 +86,4 @@ def test_filebeat_is_installed(host): """Test if the elasticsearch package is installed.""" filebeat = host.package("filebeat") assert filebeat.is_installed - assert filebeat.version.startswith('7.2.1') + assert filebeat.version.startswith('7.3.2') diff --git a/molecule/elasticsearch/tests/test_default.py b/molecule/elasticsearch/tests/test_default.py index 31c5da6c..f4021876 100644 --- a/molecule/elasticsearch/tests/test_default.py +++ b/molecule/elasticsearch/tests/test_default.py @@ -10,7 +10,7 @@ def test_elasticsearch_is_installed(host): """Test if the elasticsearch package is installed.""" elasticsearch = host.package("elasticsearch") assert elasticsearch.is_installed - assert elasticsearch.version.startswith('7.2.1') + assert elasticsearch.version.startswith('7.3.2') def test_elasticsearch_is_running(host): diff --git a/molecule/kibana/tests/test_default.py b/molecule/kibana/tests/test_default.py index f57bb8f7..ccd4d4f2 100644 --- a/molecule/kibana/tests/test_default.py +++ b/molecule/kibana/tests/test_default.py @@ -14,7 +14,7 @@ def test_port_kibana_is_open(host): def test_find_correct_elasticsearch_version(host): """Test if we find the kibana/elasticsearch version in package.json""" kibana = host.file("/usr/share/kibana/plugins/wazuh/package.json") - assert kibana.contains("7.2.1") + assert kibana.contains("7.3.2") def test_wazuh_plugin_installed(host): diff --git a/run_cluster_mode.sh b/molecule/run_cluster_mode.sh similarity index 100% rename from run_cluster_mode.sh rename to molecule/run_cluster_mode.sh diff --git a/molecule/wazuh-agent/tests/test_agents.py b/molecule/wazuh-agent/tests/test_agents.py index a4845d06..1846d3fe 100644 --- a/molecule/wazuh-agent/tests/test_agents.py +++ b/molecule/wazuh-agent/tests/test_agents.py @@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def get_wazuh_version(): """This return the version of Wazuh.""" - return "3.9.5" + return "3.10.0" def test_ossec_package_installed(Package): diff --git a/molecule/worker/tests/test_default.py b/molecule/worker/tests/test_default.py index 8dc96bbf..4de03dc3 100644 --- a/molecule/worker/tests/test_default.py +++ b/molecule/worker/tests/test_default.py @@ -9,7 +9,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def get_wazuh_version(): """This return the version of Wazuh.""" - return "3.9.5" + return "3.10.0" def test_wazuh_packages_are_installed(host): @@ -82,4 +82,4 @@ def test_filebeat_is_installed(host): """Test if the elasticsearch package is installed.""" filebeat = host.package("filebeat") assert filebeat.is_installed - assert filebeat.version.startswith('7.2.1') + assert filebeat.version.startswith('7.3.2') diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 31ed74de..ca6dd06e 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -4,7 +4,7 @@ elasticsearch_node_name: node-1 elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 7.2.1 +elastic_stack_version: 7.3.2 single_node: true elasticsearch_bootstrap_node: false elasticsearch_master_candidate: false diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 deleted file mode 100644 index 18dda52f..00000000 --- a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 +++ /dev/null @@ -1,621 +0,0 @@ -{ - "order": 0, - "template": "wazuh-alerts-3.x-*", - "settings": { - "index.refresh_interval": "5s" - }, - "mappings": { - "wazuh": { - "dynamic_templates": [ - { - "string_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "type": "keyword", - "doc_values": "true" - } - } - } - ], - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "AlertsFile": { - "type": "keyword", - "doc_values": "true" - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword", - "doc_values": "true" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword", - "doc_values": "true" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword", - "doc_values": "true" - }, - "region_name": { - "type": "keyword", - "doc_values": "true" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword", - "doc_values": "true" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_before": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_after": { - "type": "keyword", - "doc_values": "true" - }, - "uid_before": { - "type": "keyword", - "doc_values": "true" - }, - "uid_after": { - "type": "keyword", - "doc_values": "true" - }, - "gid_before": { - "type": "keyword", - "doc_values": "true" - }, - "gid_after": { - "type": "keyword", - "doc_values": "true" - }, - "perm_before": { - "type": "keyword", - "doc_values": "true" - }, - "perm_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_before": { - "type": "keyword", - "doc_values": "true" - }, - "gname_after": { - "type": "keyword", - "doc_values": "true" - }, - "gname_before": { - "type": "keyword", - "doc_values": "true" - }, - "inode_after": { - "type": "keyword", - "doc_values": "true" - }, - "inode_before": { - "type": "keyword", - "doc_values": "true" - }, - "mtime_after": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "mtime_before": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "uname_after": { - "type": "keyword", - "doc_values": "true" - }, - "uname_before": { - "type": "keyword", - "doc_values": "true" - }, - "size_before": { - "type": "long", - "doc_values": "true" - }, - "size_after": { - "type": "long", - "doc_values": "true" - }, - "diff": { - "type": "keyword", - "doc_values": "true" - }, - "event": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "location": { - "type": "keyword", - "doc_values": "true" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword", - "doc_values": "true" - }, - "groups": { - "type": "keyword", - "doc_values": "true" - }, - "level": { - "type": "long", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "cve": { - "type": "keyword", - "doc_values": "true" - }, - "info": { - "type": "keyword", - "doc_values": "true" - }, - "frequency": { - "type": "long", - "doc_values": "true" - }, - "firedtimes": { - "type": "long", - "doc_values": "true" - }, - "cis": { - "type": "keyword", - "doc_values": "true" - }, - "pci_dss": { - "type": "keyword", - "doc_values": "true" - }, - "gdpr": { - "type": "keyword", - "doc_values": "true" - }, - "gpg13": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - }, - "ftscomment": { - "type": "keyword", - "doc_values": "true" - }, - "fts": { - "type": "long", - "doc_values": "true" - }, - "accumulate": { - "type": "long", - "doc_values": "true" - } - } - }, - "data": { - "properties": { - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "srcport": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" - }, - "dstuser": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, - "audit": { - "properties": { - "type": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" - }, - "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" - }, - "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" - }, - "dev": { - "type": "keyword", - "doc_values": "true" - }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - } - } - }, - "program_name": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword", - "doc_values": "true" - } - } - } - } -} diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 index 836b2cb2..06af6322 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 @@ -1,25 +1,426 @@ { "order": 0, - "index_patterns": ["wazuh-alerts-3.x-*"], + "index_patterns": [ + "wazuh-alerts-3.x-*", + "wazuh-archives-3.x-*" + ], "settings": { "index.refresh_interval": "5s", "index.number_of_shards": "3", "index.number_of_replicas": "0", "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 2000 + "index.mapping.total_fields.limit": 10000, + "index.query.default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.advisories", + "data.vulnerability.bugzilla_reference", + "data.vulnerability.cve", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.condition", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.reference", + "data.vulnerability.severity", + "data.vulnerability.state", + "data.vulnerability.title", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.pci_dss", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] }, "mappings": { "dynamic_templates": [ { "string_as_keyword": { - "match_mapping_type": "string", "mapping": { - "type": "keyword", - "doc_values": "true" - } + "type": "keyword" + }, + "match_mapping_type": "string" } } ], + "date_detection": false, "properties": { "@timestamp": { "type": "date" @@ -34,42 +435,35 @@ "agent": { "properties": { "ip": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "manager": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "cluster": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "node": { + "type": "keyword" } } }, - "AlertsFile": { - "type": "keyword", - "doc_values": "true" - }, "full_log": { - "enabled": false, - "type": "object" + "type": "text" }, "previous_log": { "type": "text" @@ -80,8 +474,7 @@ "type": "long" }, "city_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "continent_code": { "type": "text" @@ -96,15 +489,13 @@ "type": "text" }, "country_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dma_code": { "type": "long" }, "ip": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "latitude": { "type": "double" @@ -119,12 +510,10 @@ "type": "keyword" }, "real_region_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "region_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "timezone": { "type": "text" @@ -132,110 +521,151 @@ } }, "host": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "syscheck": { "properties": { "path": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sha1_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sha1_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uid_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uid_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gid_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gid_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "perm_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "perm_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "md5_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "md5_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gname_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gname_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "inode_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "inode_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mtime_after": { "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" + "format": "date_optional_time" }, "mtime_before": { "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" + "format": "date_optional_time" }, "uname_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uname_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "size_before": { - "type": "long", - "doc_values": "true" + "type": "long" }, "size_after": { - "type": "long", - "doc_values": "true" + "type": "long" }, "diff": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "event": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "tags": { + "type": "keyword" } } }, "location": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "message": { "type": "text" @@ -246,554 +676,441 @@ "rule": { "properties": { "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "groups": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "level": { - "type": "long", - "doc_values": "true" + "type": "long" }, "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cve": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "info": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "frequency": { - "type": "long", - "doc_values": "true" + "type": "long" }, "firedtimes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cis": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pci_dss": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gdpr": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gpg13": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "mail": { + "type": "boolean" } } }, "predecoder": { "properties": { "program_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "timestamp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hostname": { + "type": "keyword" } } }, "decoder": { "properties": { "parent": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ftscomment": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "fts": { - "type": "long", - "doc_values": "true" + "type": "long" }, "accumulate": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "data": { "properties": { - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "srcport": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" - }, - "dstuser": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, "audit": { "properties": { - "type": { - "type": "keyword", - "doc_values": "true" + "acct": { + "type": "keyword" }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" + "arch": { + "type": "keyword" }, "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dev": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "aws": { - "properties": { - "bytes": { - "type": "long", - "doc_values": "true" - }, - "dstaddr": { - "type": "ip", - "doc_values": "true" - }, - "srcaddr": { - "type": "ip", - "doc_values": "true" - }, - "end": { - "type": "date", - "doc_values": "true" - }, - "start": { - "type": "date", - "doc_values": "true" - }, - "source_ip_address": { - "type": "ip", - "doc_values": "true" - }, - "resource.instanceDetails.networkInterfaces": { + "directory": { "properties": { - "privateIpAddress": { - "type": "ip", - "doc_values": "true" + "inode": { + "type": "keyword" }, - "publicIp": { - "type": "ip", - "doc_values": "true" + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" } } }, - "service": { + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { "properties": { - "count": { - "type": "long", - "doc_values": "true" + "a0": { + "type": "keyword" }, - "action.networkConnectionAction.remoteIpDetails": { + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "action": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "dstip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { "properties": { - "ipAddressV4": { - "type": "ip", - "doc_values": "true" - }, - "geoLocation": { - "type": "geo_point", - "doc_values": "true" + "id": { + "type": "keyword" } } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" } } } } }, "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netinfo": { "properties": { "iface": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mac": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "adapter": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mtu": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_bytes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_bytes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_errors": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_errors": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_dropped": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_dropped": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_packets": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_packets": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ipv4": { "properties": { "gateway": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dhcp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "address": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netmask": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "broadcast": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "metric": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "ipv6": { "properties": { "gateway": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dhcp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "address": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netmask": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "broadcast": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "metric": { - "type": "long", - "doc_values": "true" + "type": "long" } } } @@ -804,630 +1121,523 @@ "os": { "properties": { "hostname": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "architecture": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "codename": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "major": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "minor": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "build": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "platform": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sysname": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "release": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "release_version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "port": { "properties": { "protocol": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "local_ip": { - "type": "ip", - "doc_values": "true" + "type": "ip" }, "local_port": { - "type": "long", - "doc_values": "true" + "type": "long" }, "remote_ip": { - "type": "ip", - "doc_values": "true" + "type": "ip" }, "remote_port": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_queue": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_queue": { - "type": "long", - "doc_values": "true" + "type": "long" }, "inode": { - "type": "long", - "doc_values": "true" + "type": "long" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "process": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "hardware": { "properties": { "serial": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cpu_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cpu_cores": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cpu_mhz": { - "type": "double", - "doc_values": "true" + "type": "double" }, "ram_total": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ram_free": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ram_usage": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "program": { "properties": { "format": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "priority": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "section": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "vendor": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "install_time": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "architecture": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "multiarch": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "source": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "location": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "process": { "properties": { "pid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ppid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "utime": { - "type": "long", - "doc_values": "true" + "type": "long" }, "stime": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cmd": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "args": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "euser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ruser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "suser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "egroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "fgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "rgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "priority": { - "type": "long", - "doc_values": "true" + "type": "long" }, "nice": { - "type": "long", - "doc_values": "true" + "type": "long" }, "size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "vm_size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "resident": { - "type": "long", - "doc_values": "true" + "type": "long" }, "share": { - "type": "long", - "doc_values": "true" + "type": "long" }, "start_time": { - "type": "long", - "doc_values": "true" + "type": "long" }, "pgrp": { - "type": "long", - "doc_values": "true" + "type": "long" }, "session": { - "type": "long", - "doc_values": "true" + "type": "long" }, "nlwp": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tgid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tty": { - "type": "long", - "doc_values": "true" + "type": "long" }, "processor": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "sca": { "properties": { "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "scan_id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "policy": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "file": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "passed": { - "type": "integer", - "doc_values": "true" + "type": "integer" }, "failed": { - "type": "integer", - "doc_values": "true" + "type": "integer" }, "score": { - "type": "long", - "doc_values": "true" + "type": "long" }, "check": { "properties": { "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "title": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "rationale": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "remediation": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "compliance": { "properties": { "cis": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cis_csc": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pci_dss": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" } } }, "references": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "file": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "directory": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "registry": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "process": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "result": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "previous_result": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "status": { + "type": "keyword" } } + }, + "invalid": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "total_checks": { + "type": "keyword" } } }, - "win": { + "command": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "virustotal": { "properties": { - "system": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { "properties": { - "providerName": { - "type": "keyword", - "doc_values": "true" + "alert_id": { + "type": "keyword" }, - "providerGuid": { - "type": "keyword", - "doc_values": "true" + "file": { + "type": "keyword" }, - "eventSourceName": { - "type": "keyword", - "doc_values": "true" + "md5": { + "type": "keyword" }, - "securityUserID": { - "type": "keyword", - "doc_values": "true" + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "advisories": { + "type": "keyword" + }, + "bugzilla_reference": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss3_score": { + "type": "keyword" }, - "userID": { - "type": "keyword", - "doc_values": "true" + "cvss_score": { + "type": "keyword" }, - "eventID": { - "type": "keyword", - "doc_values": "true" + "cvss_scoring_vector": { + "type": "keyword" + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "condition": { + "type": "keyword" + }, + "name": { + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" - }, - "level": { - "type": "keyword", - "doc_values": "true" - }, - "task": { - "type": "keyword", - "doc_values": "true" - }, - "opcode": { - "type": "keyword", - "doc_values": "true" - }, - "keywords": { - "type": "keyword", - "doc_values": "true" - }, - "systemTime": { - "type": "keyword", - "doc_values": "true" - }, - "eventRecordID": { - "type": "keyword", - "doc_values": "true" - }, - "processID": { - "type": "keyword", - "doc_values": "true" - }, - "threadID": { - "type": "keyword", - "doc_values": "true" - }, - "channel": { - "type": "keyword", - "doc_values": "true" - }, - "computer": { - "type": "keyword", - "doc_values": "true" - }, - "severityValue": { - "type": "keyword", - "doc_values": "true" - }, - "message": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, - "eventdata": { + "published": { + "type": "date" + }, + "reference": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long" + }, + "dstaddr": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "start": { + "type": "date" + }, + "source_ip_address": { + "type": "ip" + }, + "service": { "properties": { - "subjectUserSid": { - "type": "keyword", - "doc_values": "true" + "count": { + "type": "long" }, - "subjectUserName": { - "type": "keyword", - "doc_values": "true" + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip" + }, + "geoLocation": { + "type": "geo_point" + } + } }, - "subjectDomainName": { - "type": "keyword", - "doc_values": "true" + "eventFirstSeen": { + "type": "date" }, - "subjectLogonId": { - "type": "keyword", - "doc_values": "true" - }, - "targetUserSid": { - "type": "keyword", - "doc_values": "true" - }, - "targetUserName": { - "type": "keyword", - "doc_values": "true" - }, - "targetDomainName": { - "type": "keyword", - "doc_values": "true" - }, - "targetLogonId": { - "type": "keyword", - "doc_values": "true" - }, - "logonType": { - "type": "keyword", - "doc_values": "true" - }, - "logonProcessName": { - "type": "keyword", - "doc_values": "true" - }, - "authenticationPackageName": { - "type": "keyword", - "doc_values": "true" - }, - "logonGuid": { - "type": "keyword", - "doc_values": "true" - }, - "keyLength": { - "type": "keyword", - "doc_values": "true" - }, - "impersonationLevel": { - "type": "keyword", - "doc_values": "true" - }, - "transactionId": { - "type": "keyword", - "doc_values": "true" - }, - "newState": { - "type": "keyword", - "doc_values": "true" - }, - "resourceManager": { - "type": "keyword", - "doc_values": "true" - }, - "processId": { - "type": "keyword", - "doc_values": "true" - }, - "processName": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "image": { - "type": "keyword", - "doc_values": "true" - }, - "binary": { - "type": "keyword", - "doc_values": "true" - }, - "parentImage": { - "type": "keyword", - "doc_values": "true" - }, - "categoryId": { - "type": "keyword", - "doc_values": "true" - }, - "subcategoryId": { - "type": "keyword", - "doc_values": "true" - }, - "subcategoryGuid": { - "type": "keyword", - "doc_values": "true" - }, - "auditPolicyChangesId": { - "type": "keyword", - "doc_values": "true" - }, - "category": { - "type": "keyword", - "doc_values": "true" - }, - "subcategory": { - "type": "keyword", - "doc_values": "true" - }, - "auditPolicyChanges": { - "type": "keyword", - "doc_values": "true" + "eventLastSeen": { + "type": "date" } } }, - "rmSessionEvent": { + "createdAt": { + "type": "date" + }, + "updatedAt": { + "type": "date" + }, + "resource.instanceDetails": { "properties": { - "rmSessionId": { - "type": "keyword", - "doc_values": "true" + "launchTime": { + "type": "date" }, - "uTCStartTime": { - "type": "keyword", - "doc_values": "true" + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } } } } @@ -1436,21 +1646,31 @@ } }, "program_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "command": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "type": { "type": "text" }, "title": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "previous_output": { + "type": "keyword" } } - } + }, + "version": 1 } - diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 9ec61091..06c2c6af 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -5,8 +5,8 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 7.2.1 -wazuh_version: 3.9.5 +elastic_stack_version: 7.3.2 +wazuh_version: 3.10.0 # Xpack Security kibana_xpack_security: false diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 320c9b74..c7c7f551 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -6,10 +6,11 @@ when: ansible_os_family == 'Debian' - name: Reload systemd - systemd: daemon_reload=true + systemd: + daemon_reload: true ignore_errors: true when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") + - not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)") - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) @@ -84,6 +85,7 @@ when: - check_certs_permissions is defined - kibana_xpack_security + notify: restart kibana tags: xpack-security - name: Kibana configuration @@ -93,6 +95,7 @@ owner: root group: root mode: 0664 + notify: restart kibana tags: configure - name: Checking Wazuh-APP version @@ -125,6 +128,7 @@ creates: /usr/share/kibana/plugins/wazuh/package.json become: yes become_user: kibana + notify: restart kibana tags: - install - skip_ansible_lint @@ -133,12 +137,6 @@ systemd: daemon_reload: true -- name: Restart Kibana - service: - name: kibana - enabled: true - state: restarted - - name: Ensure Kibana is started and enabled service: name: kibana @@ -146,7 +144,7 @@ state: started - import_tasks: RMRedHat.yml - when: ansible_os_family == 'RedHat', 'Amazon' + when: ansible_os_family == 'RedHat' - import_tasks: RMDebian.yml when: ansible_os_family == 'Debian' diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 632ab7e3..180308a6 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -1,5 +1,5 @@ --- -filebeat_version: 7.2.1 +filebeat_version: 7.3.2 filebeat_create_config: true diff --git a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 index 11ef6176..06af6322 100644 --- a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 @@ -1,25 +1,426 @@ { "order": 0, - "index_patterns": ["wazuh-alerts-3.x-*"], + "index_patterns": [ + "wazuh-alerts-3.x-*", + "wazuh-archives-3.x-*" + ], "settings": { "index.refresh_interval": "5s", "index.number_of_shards": "3", "index.number_of_replicas": "0", "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 2000 + "index.mapping.total_fields.limit": 10000, + "index.query.default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.advisories", + "data.vulnerability.bugzilla_reference", + "data.vulnerability.cve", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.condition", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.reference", + "data.vulnerability.severity", + "data.vulnerability.state", + "data.vulnerability.title", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.pci_dss", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] }, "mappings": { "dynamic_templates": [ { "string_as_keyword": { - "match_mapping_type": "string", "mapping": { - "type": "keyword", - "doc_values": "true" - } + "type": "keyword" + }, + "match_mapping_type": "string" } } ], + "date_detection": false, "properties": { "@timestamp": { "type": "date" @@ -34,42 +435,35 @@ "agent": { "properties": { "ip": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "manager": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "cluster": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "node": { + "type": "keyword" } } }, - "AlertsFile": { - "type": "keyword", - "doc_values": "true" - }, "full_log": { - "enabled": false, - "type": "object" + "type": "text" }, "previous_log": { "type": "text" @@ -80,8 +474,7 @@ "type": "long" }, "city_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "continent_code": { "type": "text" @@ -96,15 +489,13 @@ "type": "text" }, "country_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dma_code": { "type": "long" }, "ip": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "latitude": { "type": "double" @@ -119,12 +510,10 @@ "type": "keyword" }, "real_region_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "region_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "timezone": { "type": "text" @@ -132,110 +521,151 @@ } }, "host": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "syscheck": { "properties": { "path": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sha1_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sha1_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uid_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uid_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gid_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gid_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "perm_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "perm_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "md5_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "md5_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gname_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gname_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "inode_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "inode_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mtime_after": { "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" + "format": "date_optional_time" }, "mtime_before": { "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" + "format": "date_optional_time" }, "uname_after": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "uname_before": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "size_before": { - "type": "long", - "doc_values": "true" + "type": "long" }, "size_after": { - "type": "long", - "doc_values": "true" + "type": "long" }, "diff": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "event": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "tags": { + "type": "keyword" } } }, "location": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "message": { "type": "text" @@ -246,554 +676,441 @@ "rule": { "properties": { "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "groups": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "level": { - "type": "long", - "doc_values": "true" + "type": "long" }, "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cve": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "info": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "frequency": { - "type": "long", - "doc_values": "true" + "type": "long" }, "firedtimes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cis": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pci_dss": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gdpr": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "gpg13": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "mail": { + "type": "boolean" } } }, "predecoder": { "properties": { "program_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "timestamp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hostname": { + "type": "keyword" } } }, "decoder": { "properties": { "parent": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ftscomment": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "fts": { - "type": "long", - "doc_values": "true" + "type": "long" }, "accumulate": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "data": { "properties": { - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "srcport": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" - }, - "dstuser": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, "audit": { "properties": { - "type": { - "type": "keyword", - "doc_values": "true" + "acct": { + "type": "keyword" }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" + "arch": { + "type": "keyword" }, "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dev": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "aws": { - "properties": { - "bytes": { - "type": "long", - "doc_values": "true" - }, - "dstaddr": { - "type": "ip", - "doc_values": "true" - }, - "srcaddr": { - "type": "ip", - "doc_values": "true" - }, - "end": { - "type": "date", - "doc_values": "true" - }, - "start": { - "type": "date", - "doc_values": "true" - }, - "source_ip_address": { - "type": "ip", - "doc_values": "true" - }, - "resource.instanceDetails.networkInterfaces": { + "directory": { "properties": { - "privateIpAddress": { - "type": "ip", - "doc_values": "true" + "inode": { + "type": "keyword" }, - "publicIp": { - "type": "ip", - "doc_values": "true" + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" } } }, - "service": { + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { "properties": { - "count": { - "type": "long", - "doc_values": "true" + "a0": { + "type": "keyword" }, - "action.networkConnectionAction.remoteIpDetails": { + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "action": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "dstip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { "properties": { - "ipAddressV4": { - "type": "ip", - "doc_values": "true" - }, - "geoLocation": { - "type": "geo_point", - "doc_values": "true" + "id": { + "type": "keyword" } } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" } } } } }, "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netinfo": { "properties": { "iface": { "properties": { "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mac": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "adapter": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "mtu": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_bytes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_bytes": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_errors": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_errors": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_dropped": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_dropped": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_packets": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_packets": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ipv4": { "properties": { "gateway": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dhcp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "address": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netmask": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "broadcast": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "metric": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "ipv6": { "properties": { "gateway": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "dhcp": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "address": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "netmask": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "broadcast": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "metric": { - "type": "long", - "doc_values": "true" + "type": "long" } } } @@ -804,630 +1121,523 @@ "os": { "properties": { "hostname": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "architecture": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "codename": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "major": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "minor": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "build": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "platform": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sysname": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "release": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "release_version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "port": { "properties": { "protocol": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "local_ip": { - "type": "ip", - "doc_values": "true" + "type": "ip" }, "local_port": { - "type": "long", - "doc_values": "true" + "type": "long" }, "remote_ip": { - "type": "ip", - "doc_values": "true" + "type": "ip" }, "remote_port": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tx_queue": { - "type": "long", - "doc_values": "true" + "type": "long" }, "rx_queue": { - "type": "long", - "doc_values": "true" + "type": "long" }, "inode": { - "type": "long", - "doc_values": "true" + "type": "long" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "process": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "hardware": { "properties": { "serial": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cpu_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cpu_cores": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cpu_mhz": { - "type": "double", - "doc_values": "true" + "type": "double" }, "ram_total": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ram_free": { - "type": "long", - "doc_values": "true" + "type": "long" }, "ram_usage": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "program": { "properties": { "format": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "priority": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "section": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "vendor": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "install_time": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "architecture": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "multiarch": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "source": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "location": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, "process": { "properties": { "pid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "state": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ppid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "utime": { - "type": "long", - "doc_values": "true" + "type": "long" }, "stime": { - "type": "long", - "doc_values": "true" + "type": "long" }, "cmd": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "args": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "euser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "ruser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "suser": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "egroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "sgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "fgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "rgroup": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "priority": { - "type": "long", - "doc_values": "true" + "type": "long" }, "nice": { - "type": "long", - "doc_values": "true" + "type": "long" }, "size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "vm_size": { - "type": "long", - "doc_values": "true" + "type": "long" }, "resident": { - "type": "long", - "doc_values": "true" + "type": "long" }, "share": { - "type": "long", - "doc_values": "true" + "type": "long" }, "start_time": { - "type": "long", - "doc_values": "true" + "type": "long" }, "pgrp": { - "type": "long", - "doc_values": "true" + "type": "long" }, "session": { - "type": "long", - "doc_values": "true" + "type": "long" }, "nlwp": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tgid": { - "type": "long", - "doc_values": "true" + "type": "long" }, "tty": { - "type": "long", - "doc_values": "true" + "type": "long" }, "processor": { - "type": "long", - "doc_values": "true" + "type": "long" } } }, "sca": { "properties": { "type": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "scan_id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "policy": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "file": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "passed": { - "type": "integer", - "doc_values": "true" + "type": "integer" }, "failed": { - "type": "integer", - "doc_values": "true" + "type": "integer" }, "score": { - "type": "long", - "doc_values": "true" + "type": "long" }, "check": { "properties": { "id": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "title": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "description": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "rationale": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "remediation": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "compliance": { "properties": { "cis": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "cis_csc": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "pci_dss": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" } } }, "references": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "file": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "directory": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "registry": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "process": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "result": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "previous_result": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "status": { + "type": "keyword" } } + }, + "invalid": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "total_checks": { + "type": "keyword" } } }, - "win": { + "command": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "virustotal": { "properties": { - "system": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { "properties": { - "providerName": { - "type": "keyword", - "doc_values": "true" + "alert_id": { + "type": "keyword" }, - "providerGuid": { - "type": "keyword", - "doc_values": "true" + "file": { + "type": "keyword" }, - "eventSourceName": { - "type": "keyword", - "doc_values": "true" + "md5": { + "type": "keyword" }, - "securityUserID": { - "type": "keyword", - "doc_values": "true" + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "advisories": { + "type": "keyword" + }, + "bugzilla_reference": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss3_score": { + "type": "keyword" }, - "userID": { - "type": "keyword", - "doc_values": "true" + "cvss_score": { + "type": "keyword" }, - "eventID": { - "type": "keyword", - "doc_values": "true" + "cvss_scoring_vector": { + "type": "keyword" + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "condition": { + "type": "keyword" + }, + "name": { + "type": "keyword" }, "version": { - "type": "keyword", - "doc_values": "true" - }, - "level": { - "type": "keyword", - "doc_values": "true" - }, - "task": { - "type": "keyword", - "doc_values": "true" - }, - "opcode": { - "type": "keyword", - "doc_values": "true" - }, - "keywords": { - "type": "keyword", - "doc_values": "true" - }, - "systemTime": { - "type": "keyword", - "doc_values": "true" - }, - "eventRecordID": { - "type": "keyword", - "doc_values": "true" - }, - "processID": { - "type": "keyword", - "doc_values": "true" - }, - "threadID": { - "type": "keyword", - "doc_values": "true" - }, - "channel": { - "type": "keyword", - "doc_values": "true" - }, - "computer": { - "type": "keyword", - "doc_values": "true" - }, - "severityValue": { - "type": "keyword", - "doc_values": "true" - }, - "message": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" } } }, - "eventdata": { + "published": { + "type": "date" + }, + "reference": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long" + }, + "dstaddr": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "start": { + "type": "date" + }, + "source_ip_address": { + "type": "ip" + }, + "service": { "properties": { - "subjectUserSid": { - "type": "keyword", - "doc_values": "true" + "count": { + "type": "long" }, - "subjectUserName": { - "type": "keyword", - "doc_values": "true" + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip" + }, + "geoLocation": { + "type": "geo_point" + } + } }, - "subjectDomainName": { - "type": "keyword", - "doc_values": "true" + "eventFirstSeen": { + "type": "date" }, - "subjectLogonId": { - "type": "keyword", - "doc_values": "true" - }, - "targetUserSid": { - "type": "keyword", - "doc_values": "true" - }, - "targetUserName": { - "type": "keyword", - "doc_values": "true" - }, - "targetDomainName": { - "type": "keyword", - "doc_values": "true" - }, - "targetLogonId": { - "type": "keyword", - "doc_values": "true" - }, - "logonType": { - "type": "keyword", - "doc_values": "true" - }, - "logonProcessName": { - "type": "keyword", - "doc_values": "true" - }, - "authenticationPackageName": { - "type": "keyword", - "doc_values": "true" - }, - "logonGuid": { - "type": "keyword", - "doc_values": "true" - }, - "keyLength": { - "type": "keyword", - "doc_values": "true" - }, - "impersonationLevel": { - "type": "keyword", - "doc_values": "true" - }, - "transactionId": { - "type": "keyword", - "doc_values": "true" - }, - "newState": { - "type": "keyword", - "doc_values": "true" - }, - "resourceManager": { - "type": "keyword", - "doc_values": "true" - }, - "processId": { - "type": "keyword", - "doc_values": "true" - }, - "processName": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "image": { - "type": "keyword", - "doc_values": "true" - }, - "binary": { - "type": "keyword", - "doc_values": "true" - }, - "parentImage": { - "type": "keyword", - "doc_values": "true" - }, - "categoryId": { - "type": "keyword", - "doc_values": "true" - }, - "subcategoryId": { - "type": "keyword", - "doc_values": "true" - }, - "subcategoryGuid": { - "type": "keyword", - "doc_values": "true" - }, - "auditPolicyChangesId": { - "type": "keyword", - "doc_values": "true" - }, - "category": { - "type": "keyword", - "doc_values": "true" - }, - "subcategory": { - "type": "keyword", - "doc_values": "true" - }, - "auditPolicyChanges": { - "type": "keyword", - "doc_values": "true" + "eventLastSeen": { + "type": "date" } } }, - "rmSessionEvent": { + "createdAt": { + "type": "date" + }, + "updatedAt": { + "type": "date" + }, + "resource.instanceDetails": { "properties": { - "rmSessionId": { - "type": "keyword", - "doc_values": "true" + "launchTime": { + "type": "date" }, - "uTCStartTime": { - "type": "keyword", - "doc_values": "true" + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } } } } @@ -1436,20 +1646,31 @@ } }, "program_name": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "command": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" }, "type": { "type": "text" }, "title": { - "type": "keyword", - "doc_values": "true" + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "previous_output": { + "type": "keyword" } } - } -} \ No newline at end of file + }, + "version": 1 +} diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index c3da8e89..f6904240 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.9.5 +wazuh_agent_version: 3.10.0 wazuh_managers: - address: 127.0.0.1 port: 1514 @@ -26,7 +26,7 @@ wazuh_winagent_config: auth_path: C:\Program Files\ossec-agent\agent-auth.exe # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe - version: '3.9.5' + version: '3.10.0' revision: '1' repo: https://packages.wazuh.com/3.x/windows/ md5: ee5b24216db472d291da4e14f0b3bc63 diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 8c7c1f16..87ab144b 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_api_version: 3.9.5 +wazuh_manager_api_version: 3.10.0 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: latest