Skip to content

Commit

Permalink
Add default query fields to vulnerability detector index (#40)
Browse files Browse the repository at this point in the history
* Add ECS mappings generator, documentation and files for vulnerability detector

* Add event generator script

* Add default query fields

---------

Signed-off-by: Álex Ruiz <[email protected]>
  • Loading branch information
AlexRuiz7 committed Jan 4, 2024
1 parent b0f8bb7 commit acea1f2
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 6 deletions.
8 changes: 4 additions & 4 deletions ecs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ This script generates the ECS mappings for the Wazuh indices.
- Python 3.6 or higher
- jq

### Folder structure
### Folder structrue

There is a folder for each module. Inside each folder, there is a `fields` folder with the required
files to generate the mappings. These are the inputs for the ECS generator.
Expand Down Expand Up @@ -62,7 +62,7 @@ curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-vulner
```

Notes:
- PUT and POST are interchangeable.
- PUT and POST are interchangable.
- The name of the index template does not matter. Any name can be used.
- Adjust credentials and URL accordingly.

Expand All @@ -83,7 +83,7 @@ are required.

For testing purposes, the script `generate_events.py` can be used to generate events for a given module.
Currently, it is only able to generate events for the `vulnerability-detector` module. To support other
modules, please extend or refactor the script.
modules, please extend of refactor the script.

The script prompts for the required parameters, so it can be launched without arguments:

Expand All @@ -95,7 +95,7 @@ The script will generate a JSON file with the events, and will also ask whether
indexer. If the upload option is selected, the script will ask for the indexer URL and port, credentials,
and index name.

The script uses a log file. Check it out for debugging or additional information.
The script uses log file. Check it out for debugging or additonal information.

#### References

Expand Down
18 changes: 17 additions & 1 deletion ecs/vulnerability-detector/fields/template-settings-legacy.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,23 @@
},
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "2s"
"refresh_interval": "2s",
"query.default_field": [
"base.tags",
"agent.id",
"ecs.version",
"event.id",
"event.module",
"event.severity",
"host.os.family",
"host.os.full.text",
"host.os.version",
"package.name",
"package.version",
"vulnerability.id",
"vulnerability.description.text",
"vulnerability.severity"
]
}
}
}
18 changes: 17 additions & 1 deletion ecs/vulnerability-detector/fields/template-settings.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,23 @@
},
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "2s"
"refresh_interval": "2s",
"query.default_field": [
"base.tags",
"agent.id",
"ecs.version",
"event.id",
"event.module",
"event.severity",
"host.os.family",
"host.os.full.text",
"host.os.version",
"package.name",
"package.version",
"vulnerability.id",
"vulnerability.description.text",
"vulnerability.severity"
]
}
}
}
Expand Down

0 comments on commit acea1f2

Please sign in to comment.