Adding ecs mapping files for FIM index

ecs/states-inventory-fim/event-generator/event_generator.py

@@ -0,0 +1,114 @@
+#!/bin/python3
+
+import datetime
+import random
+import json
+import requests
+import warnings
+import logging
+
+# Constants and Configuration
+LOG_FILE = 'generate_data.log'
+GENERATED_DATA_FILE = 'generatedData.json'
+DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
+
+# Configure logging
+logging.basicConfig(filename=LOG_FILE, level=logging.INFO)
+
+# Suppress warnings
+warnings.filterwarnings("ignore")
+
+
+def generate_random_date():
+    start_date = datetime.datetime.now()
+    end_date = start_date - datetime.timedelta(days=10)
+    random_date = start_date + (end_date - start_date) * random.random()
+    return random_date.strftime(DATE_FORMAT)
+
+
+def generate_random_agent():
+    agent = {
+        'id': f'agent{random.randint(0, 99)}',
+        'name': f'Agent{random.randint(0, 99)}',
+        'type': random.choice(['filebeat', 'windows', 'linux', 'macos']),
+        'version': f'v{random.randint(0, 9)}-stable',
+        'is_connected': random.choice([True, False]),
+        'last_login': generate_random_date(),
+        'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'],
+        'key': f'key{random.randint(0, 999)}'
+    }
+    return agent
+
+
+def generate_random_host():
+    family = random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL'])
+    version = f'{random.randint(0, 99)}.{random.randint(0, 99)}'
+    host = {
+        'ip': f'{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}',
+        'os': {
+            'full': f'{family} {version}',
+        }
+    }
+    return host
+
+
+def generate_random_data(number):
+    data = []
+    for _ in range(number):
+        event_data = {
+            'agent': generate_random_agent(),
+            'host': generate_random_host(),
+        }
+        data.append(event_data)
+    return data
+
+
+def inject_events(ip, port, index, username, password, data):
+    url = f'https://{ip}:{port}/{index}/_doc'
+    session = requests.Session()
+    session.auth = (username, password)
+    session.verify = False
+    headers = {'Content-Type': 'application/json'}
+
+    try:
+        for event_data in data:
+            response = session.post(url, json=event_data, headers=headers)
+            if response.status_code != 201:
+                logging.error(f'Error: {response.status_code}')
+                logging.error(response.text)
+                break
+        logging.info('Data injection completed successfully.')
+    except Exception as e:
+        logging.error(f'Error: {str(e)}')
+
+
+def main():
+    try:
+        number = int(input("How many events do you want to generate? "))
+    except ValueError:
+        logging.error("Invalid input. Please enter a valid number.")
+        return
+
+    logging.info(f"Generating {number} events...")
+    data = generate_random_data(number)
+
+    with open(GENERATED_DATA_FILE, 'a') as outfile:
+        for event_data in data:
+            json.dump(event_data, outfile)
+            outfile.write('\n')
+
+    logging.info('Data generation completed.')
+
+    inject = input(
+        "Do you want to inject the generated data into your indexer? (y/n) ").strip().lower()
+    if inject == 'y':
+        ip = input("Enter the IP of your Indexer: ")
+        port = input("Enter the port of your Indexer: ")
+        index = input("Enter the index name: ")
+        username = input("Username: ")
+        password = input("Password: ")
+        inject_events(ip, port, index, username, password, data)
+
+
+if __name__ == "__main__":
+    main()

ecs/states-inventory-fim/fields/custom/states-inventory-fim.yml

@@ -0,0 +1,12 @@
+---
+- name: agent
+  title: Wazuh Agents
+  short: Wazuh Inc. custom fields.
+  type: group
+  group: 2
+  fields:
+    - name: groups
+      type: keyword
+      level: custom
+      description: >
+        The groups the agent belongs to.

ecs/states-inventory-fim/fields/mapping-settings.json

@@ -0,0 +1,4 @@
+{
+    "dynamic": "strict",
+    "date_detection": false
+}

ecs/states-inventory-fim/fields/subset.yml

@@ -0,0 +1,36 @@
+---
+name: fim
+fields:
+  base:
+    fields:
+      tags: []
+  agent:
+    fields:
+      id: {}
+      groups: {}
+    file:
+      fields:
+        attributes: {}
+        name: {}
+        path: {}
+        gid: {}
+        group: {}
+        inode: {}
+        hash:
+          fields:
+            md5: {}
+            sha1: {}
+            sha256: {}
+            mtime: {}
+            mode: {}
+            size: {}
+            target_path: {}
+            type: {}
+            uid: {}
+            owner: {}
+    registry:
+      fields:
+        key: {}
+        value: {}
+
+

ecs/states-inventory-fim/fields/template-settings-legacy.json

@@ -0,0 +1,22 @@
+{
+  "index_patterns": ["wazuh-states-fim*"],
+  "order": 1,
+  "settings": {
+    "index": {
+      "hidden": true,
+      "number_of_shards": "1",
+      "number_of_replicas": "0",
+      "refresh_interval": "5s",
+      "query.default_field": [
+        "agent.id",
+        "agent.groups",
+        "file.name",
+        "file.path",
+        "file.target_path",
+        "file.group",
+        "file.uid",
+        "file.gid"
+      ]
+    }
+  }
+}

ecs/states-inventory-fim/fields/template-settings.json

@@ -0,0 +1,23 @@
+{
+  "index_patterns": ["wazuh-states-fim*"],
+  "priority": 1,
+  "template": {
+    "settings": {
+      "index": {
+        "number_of_shards": "1",
+        "number_of_replicas": "0",
+        "refresh_interval": "5s",
+        "query.default_field": [
+          "agent.id",
+          "agent.groups",
+          "file.name",
+          "file.path",
+          "file.target_path",
+          "file.group",
+          "file.uid",
+          "file.gid"
+        ]
+      }
+    }
+  }
+}