Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Ports Inventory Format #299

Open
vikman90 opened this issue Nov 13, 2024 · 2 comments · May be fixed by #310
Open

Update Ports Inventory Format #299

vikman90 opened this issue Nov 13, 2024 · 2 comments · May be fixed by #310
Assignees
@LucioDonda
Labels
level/subtask Subtask issue module/inventory Inventory module mvp Minimum Viable Product refinement type/enhancement Enhancement issue

Comments

@vikman90
Copy link
Member

vikman90 commented Nov 13, 2024
edited
Loading

Parent Issue: #292

Description

Update the ports inventory format to comply with the Elastic Common Schema (ECS).

Data Fields

Field Type Example
agent.groups keyword
agent.id keyword
destination.ip ip
destination.port long
device.id keyword
file.inode keyword
host.network.ingress.queue long
network.protocol keyword
process.name keyword
process.pid long
source.ip ip
source.port long

Tasks

  • Map and update all fields in the ports inventory according to ECS guidelines.

References
@vikman90 vikman90 added the mvp Minimum Viable Product refinement label Nov 13, 2024
@vikman90 vikman90 mentioned this issue Nov 13, 2024
Open
@vikman90 vikman90 added level/task Task issue type/enhancement Enhancement issue module/inventory Inventory module level/subtask Subtask issue and removed level/task Task issue labels Nov 13, 2024
@wazuhci wazuhci moved this to Backlog in Release 5.0.0 Nov 13, 2024
@vikman90 vikman90 mentioned this issue Nov 14, 2024
Open
@LucioDonda LucioDonda self-assigned this Nov 15, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 5.0.0 Nov 15, 2024
@LucioDonda LucioDonda linked a pull request Nov 15, 2024 that will close this issue
Draft
1 task
@LucioDonda LucioDonda linked a pull request Nov 15, 2024 that will close this issue
Remap Port Fields to ECS compliance #310
Draft
1 task
@LucioDonda
Copy link
Member

LucioDonda commented Nov 15, 2024
edited
Loading

Messages are being received almost empty altough I'm forcing the opening and closing of ports:

Body:
{
    "agent": {
        "groups": [],
        "host": {
            "architecture": "x86_64",
            "hostname": "pm-ubuntu24-server",
            "ip": [
                "192.168.0.141",
                "fe80::be24:11ff:fe54:83fb"
            ],
            "os": {
                "name": "Ubuntu",
                "platform": "Linux"
            }
        },
        "id": "e5b4b52b-9b22-4dd0-ab57-651a6eb6e720",
        "name": "",
        "type": "Endpoint",
        "version": "5.0.0"
    }
}
{
    "id": "aW52ZW50b3J5OnBvcnRzOg==",
    "module": "inventory",
    "operation": "deleted",
    "type": "ports"
}
{
    "@timestamp": "2024/11/15 20:06:13"
}

Pending UTs fixes / addition

@LucioDonda
Copy link
Member

Corrections of resultant json:

{
    "data": {
        "@timestamp": "2024/11/19 20:12:29",
        "destination": {
            "ip": "::ffff:192.168.0.127",
            "port": 60130
        },
        "device": {
            "id": "f4554af2792e6cc5c61bd2c14bf35427b635fa44"
        },
        "file": {
            "inode": 2662
        },
        "host": {
            "network": {
                "egress": {
                    "queue": 268
                },
                "ingress": {
                    "queue": 0
                }
            }
        },
        "interface": {
            "state": "established"
        },
        "network": {
            "protocol": "tcp6"
        },
        "process": {
            "name": "sshd",
            "pid": 1238
        },
        "source": {
            "ip": "::ffff:192.168.0.141",
            "port": 22
        }
    },
    "id": "aW52ZW50b3J5OnBvcnRzOjI2NjI6dGNwNjo6OmZmZmY6MTkyLjE2OC4wLjE0MToyMg==",
    "operation": "create",
    "type": "ports"
}

, metadata 
{
    "id": "aW52ZW50b3J5OnBvcnRzOjI2NjI6dGNwNjo6OmZmZmY6MTkyLjE2OC4wLjE0MToyMg==",
    "module": "inventory",
    "operation": "create",
    "type": "ports"
}

matching id criteria:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LucioDonda LucioDonda

Labels
level/subtask Subtask issue module/inventory Inventory module mvp Minimum Viable Product refinement type/enhancement Enhancement issue
Projects
Release 5.0.0
Status: In progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remap Port Fields to ECS compliance wazuh/wazuh-agent
2 participants
@vikman90 @LucioDonda