Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize Inventory Tables by Removing Unused Fields #497

Open
cborla opened this issue Jan 10, 2025 · 5 comments · May be fixed by #522
Open

Optimize Inventory Tables by Removing Unused Fields #497

cborla opened this issue Jan 10, 2025 · 5 comments · May be fixed by #522
Assignees
@nbertoldo
Labels
level/task Task issue module/agent module/inventory Inventory module type/enhancement Enhancement issue

Comments

@cborla
Copy link
Member

cborla commented Jan 10, 2025
edited
Loading

Description

The current implementation of the Inventory system in the DataProvider includes some fields that are not utilized. This issue aims to improve the system by removing unused fields, simplifying the data structure, and ensuring that only relevant and necessary fields are maintained.

An updated spreadsheet will be used as the reference for determining which fields are to be kept or removed.

Tasks

  1. Review and Update Field Usage:

    • Analyze the current fields used by the Inventory module.
    • Compare the fields against the updated spreadsheet to identify unused ones.

  2. Remove Unused Fields:

    • Remove all fields from the Inventory Tables that are not used.
    • Ensure that the removal does not impact other modules or functionality.

  3. Test System Functionality:

    • Perform unit and integration testing to ensure the system functions correctly after the removal of unused fields.
    • Verify that the Inventory module continues to provide accurate and reliable data.

Acceptance Criteria

  • Unused fields identified in the updated spreadsheet are removed from the Inventory.
  • Documentation reflects the new field structure and only includes relevant fields.
  • The system passes all unit and integration tests without introducing errors.
@cborla cborla added level/task Task issue type/enhancement Enhancement issue module/agent module/inventory Inventory module labels Jan 10, 2025
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 5.0.0 Jan 10, 2025
@vikman90 vikman90 added the mvp Minimum Viable Product refinement label Jan 10, 2025
@vikman90 vikman90 mentioned this issue Jan 10, 2025
Closed
53 tasks
@davidjiglesias davidjiglesias removed the mvp Minimum Viable Product refinement label Jan 13, 2025
@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 5.0.0 Jan 20, 2025
@nbertoldo
Copy link
Member

Fields unused by inventory module

These database fields are not currently used by the inventory module, so they must be removed.

System

Field Type
os_major Text
os_minor Text
os_patch Text
release Text
version Text
os_release Text
os_display_version Text

Packages

Field Type
vendor Text
groups Text
priority Text
multiarch Text
source Text

Processes

Field Type
state Text
utime Bigint
stime Bigint
fgroup Text
priority Bigint
nice Bigint
size Bigint
vm_size Bigint
resident Bigint
share Bigint
pgrp Bigint
session Bigint
nlwp Bigint
processor Bigint

@nbertoldo nbertoldo linked a pull request Jan 20, 2025 that will close this issue
Open
3 tasks
@nbertoldo nbertoldo linked a pull request Jan 20, 2025 that will close this issue
Optimize Inventory Tables by Removing Unused Fields #522
Open
3 tasks
@nbertoldo
Copy link
Member

nbertoldo commented Jan 21, 2025
edited
Loading

Work Update

2025/01/20

  • Removed unused fields from inventory database tables.
  • Updated inventory unit tests.

2025/01/21

  • Removed unused fields from data-provider module.
  • Updated data-provider unit tests.

2025/01/22

  • Optimized inventory events generation.
  • Test E2E Agent Ubuntu 24.04.
  • Test E2E Agent Windows Server 22 (work in progress).

2025/01/23

  • Rebase.
  • Test E2E Agent Windows Server 22.
  • Test E2E macOS Sonoma 14.4.1

2025/01/24

  • Restore data-provider code previously removed.
  • Add inventory README.md file.
  • Generate packages:
  • Test on macOS.

@nbertoldo
Copy link
Member

Test E2E Agent Ubuntu 24.04

Hardware

Stateful event 
{
  "_index": "wazuh-states-inventory-hardware",
  "_id": "9ba4952d5d926e10b8e6307a6b4f26378d4f171a",
  "_version": 26,
  "_score": null,
  "_source": {
    "agent": {
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-22T18:16:37.411Z",
    "host": {
      "cpu": {
        "cores": 8,
        "name": "AMD Ryzen 7 5800X 8-Core Processor",
        "speed": 3800
      },
      "memory": {
        "free": 8312548,
        "total": 12247080,
        "used": {
          "percentage": 33
        }
      }
    },
    "observer": {
      "serial_number": ""
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-22T18:16:37.411Z"
    ]
  },
  "sort": [
    1737569797411
  ]
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "QAxlj5QBFK1WmStE-Tk7",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "hardware-updated",
      "category": [
        "host"
      ],
      "changed_fields": [
        "host.memory.free"
      ],
      "created": "2025-01-22T19:01:52.896Z",
      "reason": "Hardware changed",
      "type": [
        "change"
      ]
    },
    "host": {
      "cpu": {
        "cores": 8,
        "name": "AMD Ryzen 7 5800X 8-Core Processor",
        "speed": 3800
      },
      "memory": {
        "free": 8438168,
        "previous": {
          "free": 8435760
        },
        "total": 12247080,
        "used": {
          "percentage": 32
        }
      }
    },
    "observer": {
      "serial_number": ""
    }
  },
  "fields": {
    "event.created": [
      "2025-01-22T19:01:52.896Z"
    ]
  },
  "sort": [
    0,
    1737572512896
  ]
}

System

Stateful event 
{
  "_index": "wazuh-states-inventory-system",
  "_id": "bdf9b92902e7dd27325a44c34ba0e8ba3a9fb5ae",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-22T17:00:42.709Z",
    "host": {
      "architecture": "x86_64",
      "hostname": "noble",
      "os": {
        "full": "noble",
        "kernel": null,
        "name": "Ubuntu",
        "platform": "ubuntu",
        "type": "Linux",
        "version": "24.04.1 LTS (Noble Numbat)"
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-22T17:00:42.709Z"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "U2n2jpQBDRaPAqzuL3ZA",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "system-detected",
      "category": [
        "host"
      ],
      "created": "2025-01-22T17:00:42.709Z",
      "reason": "System noble is running OS version 24.04.1 LTS (Noble Numbat)",
      "type": [
        "info"
      ]
    },
    "host": {
      "architecture": "x86_64",
      "hostname": "noble",
      "os": {
        "full": "noble",
        "kernel": null,
        "name": "Ubuntu",
        "platform": "ubuntu",
        "type": "Linux",
        "version": "24.04.1 LTS (Noble Numbat)"
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-22T17:00:42.709Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@system-detected@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737565242709
  ]
}

Packages

Stateful event 
{
  "_index": "wazuh-states-inventory-packages",
  "_id": "1834cc1dcc01edb17e380fa3b971097dbad1be81",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-22T17:00:42.709Z",
    "package": {
      "architecture": "amd64",
      "description": "command line tool for transferring data with URL syntax",
      "installed": null,
      "name": "curl",
      "path": "",
      "size": 533504,
      "type": "deb",
      "version": "8.5.0-2ubuntu10.4"
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-22T17:00:42.709Z"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "aGn2jpQBDRaPAqzuL3ZA",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "package-installed",
      "category": [
        "package"
      ],
      "created": "2025-01-22T17:00:42.709Z",
      "reason": "Package bash (version 5.2.21-2ubuntu4) was installed",
      "type": [
        "installation"
      ]
    },
    "package": {
      "architecture": "amd64",
      "description": "GNU Bourne Again SHell",
      "installed": null,
      "name": "bash",
      "path": "",
      "size": 1945600,
      "type": "deb",
      "version": "5.2.21-2ubuntu4"
    }
  },
  "fields": {
    "event.created": [
      "2025-01-22T17:00:42.709Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@package-installed@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737565242709
  ]
}

Processes

Stateful event 
{
  "_index": "wazuh-states-inventory-processes",
  "_id": "2fae899bab5560df9387ac9f02ba4823ef44fed2",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-22T19:10:57.368Z",
    "process": {
      "args": "180",
      "command_line": "sleep",
      "group": {
        "id": "vagrant"
      },
      "name": "sleep",
      "parent": {
        "pid": 2622
      },
      "pid": "29694",
      "real_group": {
        "id": "vagrant"
      },
      "real_user": {
        "id": "vagrant"
      },
      "saved_group": {
        "id": "vagrant"
      },
      "saved_user": {
        "id": "vagrant"
      },
      "start": 1737572918,
      "thread": {
        "id": 29694
      },
      "tty": {
        "char_device": {
          "major": 0
        }
      },
      "user": {
        "id": "vagrant"
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-22T19:10:57.368Z"
    ],
    "process.start": [
      "1970-01-21T02:39:32.918Z"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "9Qxyj5QBFK1WmStEpUV_",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "process-updated",
      "category": [
        "process"
      ],
      "changed_fields": [
        "process.name"
      ],
      "created": "2025-01-22T19:16:58.184Z",
      "reason": "Process kworker/7:1-mm_ (PID: kworker/7:1-mm_) was updated",
      "type": [
        "change"
      ]
    },
    "process": {
      "args": null,
      "command_line": null,
      "group": {
        "id": "root"
      },
      "name": "kworker/7:1-mm_",
      "parent": {
        "pid": 2
      },
      "pid": "113",
      "previous": {
        "name": "kworker/7:1-eve"
      },
      "real_group": {
        "id": "root"
      },
      "real_user": {
        "id": "root"
      },
      "saved_group": {
        "id": "root"
      },
      "saved_user": {
        "id": "root"
      },
      "start": 1737549680,
      "thread": {
        "id": 113
      },
      "tty": {
        "char_device": {
          "major": 0
        }
      },
      "user": {
        "id": "root"
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-22T19:16:58.184Z"
    ],
    "process.start": [
      "1970-01-21T02:39:09.680Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@process-updated@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737573418184
  ]
}

Networks

Stateful event 
{
  "_index": "wazuh-states-inventory-networks",
  "_id": "d25d49aa19a6c755ba0d50d2cf55fc76118ca7a5",
  "_version": 44,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-22T19:20:05.405Z",
    "host": {
      "ip": [
        "10.0.2.15"
      ],
      "mac": "08:00:27:64:e1:ff",
      "network": {
        "egress": {
          "bytes": 18155798,
          "drops": 0,
          "errors": 0,
          "packets": 27040
        },
        "ingress": {
          "bytes": 25635476,
          "drops": 0,
          "errors": 0,
          "packets": 47952
        }
      }
    },
    "interface": {
      "mtu": 1500,
      "state": "up",
      "type": "ethernet"
    },
    "network": {
      "broadcast": [
        "10.0.2.255"
      ],
      "dhcp": null,
      "gateway": [
        "10.0.2.2"
      ],
      "metric": "100",
      "netmask": [
        "255.255.255.0"
      ],
      "protocol": null,
      "type": "ipv4"
    },
    "observer": {
      "ingress": {
        "interface": {
          "alias": "",
          "name": "eth0"
        }
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-22T19:20:05.405Z"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "bwx9j5QBFK1WmStEtlED",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "network-interface-updated",
      "category": [
        "network"
      ],
      "changed_fields": [
        "host.network.ingress.bytes",
        "host.network.ingress.packets",
        "host.network.egress.bytes",
        "host.network.egress.packets"
      ],
      "created": "2025-01-22T19:29:06.643Z",
      "reason": "Network interface eth1 updated",
      "type": [
        "change"
      ]
    },
    "host": {
      "ip": [
        "fe80::a00:27ff:fecb:7200"
      ],
      "mac": "08:00:27:cb:72:00",
      "network": {
        "egress": {
          "bytes": 38469212,
          "drops": 0,
          "errors": 0,
          "packets": 59931,
          "previous": {
            "bytes": 38416630,
            "packets": 59721
          }
        },
        "ingress": {
          "bytes": 12302678,
          "drops": 0,
          "errors": 0,
          "packets": 67019,
          "previous": {
            "bytes": 12255358,
            "packets": 66796
          }
        }
      }
    },
    "interface": {
      "mtu": 1500,
      "state": "up",
      "type": "ethernet"
    },
    "network": {
      "broadcast": [],
      "dhcp": null,
      "gateway": [],
      "metric": null,
      "netmask": [
        "ffff:ffff:ffff:ffff::"
      ],
      "protocol": null,
      "type": "ipv6"
    },
    "observer": {
      "ingress": {
        "interface": {
          "alias": "",
          "name": "eth1"
        }
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-22T19:29:06.643Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@network-interface-updated@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737574146643
  ]
}

Ports

Stateful event 
{
  "_index": "wazuh-states-inventory-ports",
  "_id": "14d6e359dcfc25c7ecf9377d76f1d1ba7ba019aa",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-22T19:29:06.643Z",
    "destination": {
      "ip": [
        "192.168.56.125"
      ],
      "port": 27000
    },
    "file": {
      "inode": 81024
    },
    "host": {
      "network": {
        "egress": {
          "queue": 0
        },
        "ingress": {
          "queue": 510
        }
      }
    },
    "interface": {
      "state": "established"
    },
    "network": {
      "protocol": "tcp"
    },
    "process": {
      "name": "wazuh-agent",
      "pid": 27184
    },
    "source": {
      "ip": [
        "192.168.56.132"
      ],
      "port": 58796
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-22T19:29:06.643Z"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "LgyAj5QBFK1WmStEdlQn",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "0540d11c-7f99-43ff-bf5f-6173616c3b09",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "destination": {
      "ip": [
        "127.0.0.1"
      ],
      "port": 47472
    },
    "event": {
      "action": "port-updated",
      "category": [
        "network"
      ],
      "changed_fields": [
        "host.network.egress.queue"
      ],
      "created": "2025-01-22T19:32:07.070Z",
      "reason": "Updated connection from source port 42959 to destination port 47472",
      "type": [
        "change"
      ]
    },
    "file": {
      "inode": 16437
    },
    "host": {
      "network": {
        "egress": {
          "previous": {
            "queue": 0
          },
          "queue": 63
        },
        "ingress": {
          "queue": 0
        }
      }
    },
    "interface": {
      "state": "established"
    },
    "network": {
      "protocol": "tcp"
    },
    "process": {
      "name": "code-91fbdddc47",
      "pid": 2642
    },
    "source": {
      "ip": [
        "127.0.0.1"
      ],
      "port": 42959
    }
  },
  "fields": {
    "event.created": [
      "2025-01-22T19:32:07.070Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@port-updated@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737574327070
  ]
}

@nbertoldo
Copy link
Member

Test E2E Agent Windows Server 2022

Hardware

Stateful event 
{
  "_index": "wazuh-states-inventory-hardware",
  "_id": "069a466d7ff482effca2596084fd4a86ce8cf1f3",
  "_version": 4,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      }
    },
    "@timestamp": "2025-01-23T13:41:48.541Z",
    "host": {
      "cpu": {
        "cores": 4,
        "name": "AMD Ryzen 7 5800X 8-Core Processor             ",
        "speed": 3800
      },
      "memory": {
        "free": 2733784,
        "total": 4177604,
        "used": {
          "percentage": 34
        }
      }
    },
    "observer": {
      "serial_number": "0"
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T13:41:48.541Z"
    ]
  },
  "highlight": {
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "lx2Pk5QBMb5FqFN1NATM",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      },
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "hardware-updated",
      "category": [
        "host"
      ],
      "changed_fields": [
        "host.memory.free"
      ],
      "created": "2025-01-23T14:26:50.776Z",
      "reason": "Hardware changed",
      "type": [
        "change"
      ]
    },
    "host": {
      "cpu": {
        "cores": 4,
        "name": "AMD Ryzen 7 5800X 8-Core Processor             ",
        "speed": 3800
      },
      "memory": {
        "free": 2741344,
        "previous": {
          "free": 2741320
        },
        "total": 4177604,
        "used": {
          "percentage": 34
        }
      }
    },
    "observer": {
      "serial_number": "0"
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T14:26:50.776Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@hardware-updated@/opensearch-dashboards-highlighted-field@"
    ],
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737642410776
  ]
}

System

Stateful event 
{
  "_index": "wazuh-states-inventory-system",
  "_id": "cab8945bb562b559877b8241b5ceaaa81e069ab3",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      }
    },
    "@timestamp": "2025-01-22T21:12:00.356Z",
    "host": {
      "architecture": "x86_64",
      "hostname": "VM-WIN2022",
      "os": {
        "full": null,
        "kernel": "20348.1906",
        "name": "Microsoft Windows Server 2022 Standard",
        "platform": "windows",
        "type": null,
        "version": "10.0.20348.1906"
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-22T21:12:00.356Z"
    ]
  },
  "highlight": {
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "IQzbj5QBFK1WmStEy6_3",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      },
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "system-detected",
      "category": [
        "host"
      ],
      "created": "2025-01-22T21:12:00.356Z",
      "reason": "System VM-WIN2022 is running OS version 10.0.20348.1906",
      "type": [
        "info"
      ]
    },
    "host": {
      "architecture": "x86_64",
      "hostname": "VM-WIN2022",
      "os": {
        "full": null,
        "kernel": "20348.1906",
        "name": "Microsoft Windows Server 2022 Standard",
        "platform": "windows",
        "type": null,
        "version": "10.0.20348.1906"
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-22T21:12:00.356Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@system-detected@/opensearch-dashboards-highlighted-field@"
    ],
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737580320356
  ]
}

Packages

Stateful event 
{
  "_index": "wazuh-states-inventory-packages",
  "_id": "8fe27919f9f7b4de28a2ccdd548cf3523c0ea8c3",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      }
    },
    "@timestamp": "2025-01-22T21:12:00.356Z",
    "package": {
      "architecture": "x86_64",
      "description": null,
      "installed": "2024-05-03T16:11:27.000Z",
      "name": "Notepad++ (64-bit x64)",
      "path": "",
      "size": null,
      "type": "win",
      "version": "8.6.4"
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-22T21:12:00.356Z"
    ],
    "package.installed": [
      "2024-05-03T16:11:27.000Z"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "JQzbj5QBFK1WmStEy6_3",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      },
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "package-installed",
      "category": [
        "package"
      ],
      "created": "2025-01-22T21:12:00.356Z",
      "reason": "Package OpenSSL 3.4.0 (64-bit) (version 3.4.0) was installed",
      "type": [
        "installation"
      ]
    },
    "package": {
      "architecture": "x86_64",
      "description": null,
      "installed": "2024-12-02T18:22:19.000Z",
      "name": "OpenSSL 3.4.0 (64-bit)",
      "path": "C:\\Program Files\\OpenSSL-Win64\\",
      "size": null,
      "type": "win",
      "version": "3.4.0"
    }
  },
  "fields": {
    "event.created": [
      "2025-01-22T21:12:00.356Z"
    ],
    "package.installed": [
      "2024-12-02T18:22:19.000Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@package-installed@/opensearch-dashboards-highlighted-field@"
    ],
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737580320356
  ]
}

Processes

Stateful event 
{
  "_index": "wazuh-states-inventory-processes",
  "_id": "a56856499386339f5c5059f67c326c07bd95e7aa",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      }
    },
    "@timestamp": "2025-01-23T13:41:48.541Z",
    "process": {
      "args": null,
      "command_line": "C:\\Windows\\System32\\fontdrvhost.exe",
      "group": {
        "id": null
      },
      "name": "fontdrvhost.exe",
      "parent": {
        "pid": 556
      },
      "pid": "864",
      "real_group": {
        "id": null
      },
      "real_user": {
        "id": null
      },
      "saved_group": {
        "id": null
      },
      "saved_user": {
        "id": null
      },
      "start": 1737638375,
      "thread": {
        "id": null
      },
      "tty": {
        "char_device": {
          "major": null
        }
      },
      "user": {
        "id": null
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T13:41:48.541Z"
    ],
    "process.start": [
      "1970-01-21T02:40:38.375Z"
    ]
  },
  "highlight": {
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "zRxlk5QBMb5FqFN1_cV7",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      },
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "process-updated",
      "category": [
        "process"
      ],
      "changed_fields": [
        "process.command_line",
        "process.name",
        "process.start",
        "process.parent.pid"
      ],
      "created": "2025-01-23T13:41:48.541Z",
      "reason": "Process VBoxService.exe (PID: VBoxService.exe) was updated",
      "type": [
        "change"
      ]
    },
    "process": {
      "args": null,
      "command_line": "C:\\Windows\\System32\\VBoxService.exe",
      "group": {
        "id": null
      },
      "name": "VBoxService.exe",
      "parent": {
        "pid": 700,
        "previous": {
          "pid": 696
        }
      },
      "pid": "1312",
      "previous": {
        "command_line": "C:\\Windows\\System32\\svchost.exe",
        "name": "svchost.exe",
        "start": 1737575854
      },
      "real_group": {
        "id": null
      },
      "real_user": {
        "id": null
      },
      "saved_group": {
        "id": null
      },
      "saved_user": {
        "id": null
      },
      "start": 1737638375,
      "thread": {
        "id": null
      },
      "tty": {
        "char_device": {
          "major": null
        }
      },
      "user": {
        "id": null
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T13:41:48.541Z"
    ],
    "process.start": [
      "1970-01-21T02:40:38.375Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@process-updated@/opensearch-dashboards-highlighted-field@"
    ],
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737639708541
  ]
}

Networks

Stateful event 
{
  "_index": "wazuh-states-inventory-networks",
  "_id": "3acb3cb1a518a5c03d3a5de6ad255e94fce0d78c",
  "_version": 9,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      }
    },
    "@timestamp": "2025-01-23T14:14:50.292Z",
    "host": {
      "ip": [
        "10.0.2.15"
      ],
      "mac": "08:00:27:38:5b:60",
      "network": {
        "egress": {
          "bytes": 301838,
          "drops": 0,
          "errors": 0,
          "packets": 1285
        },
        "ingress": {
          "bytes": 3443103,
          "drops": 0,
          "errors": 0,
          "packets": 3209
        }
      }
    },
    "interface": {
      "mtu": 1500,
      "state": "up",
      "type": "ethernet"
    },
    "network": {
      "broadcast": [
        "10.0.2.255"
      ],
      "dhcp": "enabled",
      "gateway": [
        "10.0.2.2"
      ],
      "metric": "25",
      "netmask": [
        "255.255.255.0"
      ],
      "protocol": null,
      "type": "ipv4"
    },
    "observer": {
      "ingress": {
        "interface": {
          "alias": "Intel(R) PRO/1000 MT Desktop Adapter",
          "name": "Ethernet"
        }
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T14:14:50.292Z"
    ]
  },
  "highlight": {
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "Mh2ak5QBMb5FqFN1MRWm",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      },
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "network-interface-updated",
      "category": [
        "network"
      ],
      "changed_fields": [
        "host.network.ingress.bytes",
        "host.network.ingress.packets",
        "host.network.egress.bytes",
        "host.network.egress.packets"
      ],
      "created": "2025-01-23T14:38:51.417Z",
      "reason": "Network interface Ethernet 2 updated",
      "type": [
        "change"
      ]
    },
    "host": {
      "ip": [
        "fe80::a4de:f576:5401:a042"
      ],
      "mac": "08:00:27:1b:6b:a5",
      "network": {
        "egress": {
          "bytes": 816343,
          "drops": 0,
          "errors": 0,
          "packets": 1428,
          "previous": {
            "bytes": 790220,
            "packets": 1362
          }
        },
        "ingress": {
          "bytes": 544454,
          "drops": 0,
          "errors": 0,
          "packets": 1322,
          "previous": {
            "bytes": 518886,
            "packets": 1256
          }
        }
      }
    },
    "interface": {
      "mtu": 1500,
      "state": "up",
      "type": "ethernet"
    },
    "network": {
      "broadcast": [],
      "dhcp": "disabled",
      "gateway": [],
      "metric": "25",
      "netmask": [
        "ffff:ffff:ffff:ffff::"
      ],
      "protocol": null,
      "type": "ipv6"
    },
    "observer": {
      "ingress": {
        "interface": {
          "alias": "Intel(R) PRO/1000 MT Desktop Adapter #2",
          "name": "Ethernet 2"
        }
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T14:38:51.417Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@network-interface-updated@/opensearch-dashboards-highlighted-field@"
    ],
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737643131417
  ]
}

Ports

Stateful event 
{
  "_index": "wazuh-states-inventory-ports",
  "_id": "7ab2d109901bea7cf13ac1c7acdc4b98d4815be2",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      }
    },
    "@timestamp": "2025-01-23T14:26:50.776Z",
    "destination": {
      "ip": [
        "192.168.56.125"
      ],
      "port": 27000
    },
    "file": {
      "inode": 0
    },
    "host": {
      "network": {
        "egress": {
          "queue": null
        },
        "ingress": {
          "queue": null
        }
      }
    },
    "interface": {
      "state": "established"
    },
    "network": {
      "protocol": "tcp"
    },
    "process": {
      "name": "wazuh-agent.exe",
      "pid": 4008
    },
    "source": {
      "ip": [
        "192.168.56.16"
      ],
      "port": 50072
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T14:26:50.776Z"
    ]
  },
  "highlight": {
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  }
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "ghxlk5QBMb5FqFN1_cZ7",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "VM-WIN2022",
        "ip": [
          "10.0.2.15",
          "fe80::ba8c:77ca:7480:40d2",
          "192.168.56.16",
          "fe80::a4de:f576:5401:a042",
          "127.0.0.1",
          "::1"
        ],
        "os": {
          "name": "Microsoft Windows Server 2022 Standard",
          "type": "Unknown",
          "version": "10.0.20348.1906"
        }
      },
      "id": "ea72889f-0e22-4d41-91e3-8d404323a100",
      "name": "VM-WIN2022",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "destination": {
      "ip": [
        "0.0.0.0"
      ],
      "port": 0
    },
    "event": {
      "action": "port-updated",
      "category": [
        "network"
      ],
      "changed_fields": [
        "process.pid"
      ],
      "created": "2025-01-23T13:41:48.541Z",
      "reason": "Updated connection from source port 22 to destination port 0",
      "type": [
        "change"
      ]
    },
    "file": {
      "inode": 0
    },
    "host": {
      "network": {
        "egress": {
          "queue": null
        },
        "ingress": {
          "queue": null
        }
      }
    },
    "interface": {
      "state": "listening"
    },
    "network": {
      "protocol": "tcp"
    },
    "process": {
      "name": "sshd.exe",
      "pid": 2832,
      "previous": {
        "pid": 2864
      }
    },
    "source": {
      "ip": [
        "0.0.0.0"
      ],
      "port": 22
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T13:41:48.541Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@port-updated@/opensearch-dashboards-highlighted-field@"
    ],
    "agent.name": [
      "@opensearch-dashboards-highlighted-field@VM-WIN2022@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    0,
    1737639708541
  ]
}

@nbertoldo
Copy link
Member

Test E2E Agent macOS Sonoma

Hardware

Stateful event 
{
  "_index": "wazuh-states-inventory-hardware",
  "_id": "4c44873a0745a1a0666865abc5e13b7ccfc57c5f",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      }
    },
    "@timestamp": "2025-01-23T19:17:51.686Z",
    "host": {
      "cpu": {
        "cores": 2,
        "name": "Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz",
        "speed": 3192
      },
      "memory": {
        "free": 1108276,
        "total": 4194304,
        "used": {
          "percentage": 74
        }
      }
    },
    "observer": {
      "serial_number": "H2WF603JPJJ9"
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T19:17:51.686Z"
    ]
  },
  "sort": [
    1737659871686
  ]
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "YxahlJQBUiKAykr10we1",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      },
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "hardware-updated",
      "category": [
        "host"
      ],
      "changed_fields": [
        "host.memory.free"
      ],
      "created": "2025-01-23T19:26:53.966Z",
      "reason": "Hardware changed",
      "type": [
        "change"
      ]
    },
    "host": {
      "cpu": {
        "cores": 2,
        "name": "Intel(R) Core(TM) i7-8700B CPU @ 3.20GHz",
        "speed": 3192
      },
      "memory": {
        "free": 1098392,
        "previous": {
          "free": 1099864
        },
        "total": 4194304,
        "used": {
          "percentage": 74
        }
      }
    },
    "observer": {
      "serial_number": "H2WF603JPJJ9"
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T19:26:53.966Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@hardware-updated@/opensearch-dashboards-highlighted-field@"
    ]
  }
}

System

Stateful event 
{
  "_index": "wazuh-states-inventory-system",
  "_id": "d83906096cf1becc70479dbe8856c160a00fa24e",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      }
    },
    "@timestamp": "2025-01-23T19:17:51.686Z",
    "host": {
      "architecture": "x86_64",
      "hostname": "idr-1983-sonoma-14-3145",
      "os": {
        "full": "Sonoma",
        "kernel": "23E224",
        "name": "macOS",
        "platform": "darwin",
        "type": "Darwin",
        "version": "14.4.1"
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T19:17:51.686Z"
    ]
  },
  "sort": [
    1737659871686
  ]
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "QBaZlJQBUiKAykr1qQWs",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      },
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "system-detected",
      "category": [
        "host"
      ],
      "created": "2025-01-23T19:17:51.686Z",
      "reason": "System idr-1983-sonoma-14-3145 is running OS version 14.4.1",
      "type": [
        "info"
      ]
    },
    "host": {
      "architecture": "x86_64",
      "hostname": "idr-1983-sonoma-14-3145",
      "os": {
        "full": "Sonoma",
        "kernel": "23E224",
        "name": "macOS",
        "platform": "darwin",
        "type": "Darwin",
        "version": "14.4.1"
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T19:17:51.686Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@system-detected@/opensearch-dashboards-highlighted-field@"
    ]
  }
}

Packages

Stateful event 
{
  "_index": "wazuh-states-inventory-packages",
  "_id": "6bb4cd07d32bb25666594fa610eb89e0eba3d4c7",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      }
    },
    "@timestamp": "2025-01-23T19:17:51.686Z",
    "package": {
      "architecture": "",
      "description": "com.apple.siri.launcher",
      "installed": null,
      "name": "Siri",
      "path": "/System/Applications/Siri.app/Contents/Info.plist",
      "size": null,
      "type": "pkg",
      "version": "1.0"
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T19:17:51.686Z"
    ]
  },
  "sort": [
    1737659871686
  ]
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "QRaZlJQBUiKAykr1qQWs",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      },
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "package-installed",
      "category": [
        "package"
      ],
      "created": "2025-01-23T19:17:51.686Z",
      "reason": "Package Safari (version 17.4.1) was installed",
      "type": [
        "installation"
      ]
    },
    "package": {
      "architecture": "",
      "description": "com.apple.Safari",
      "installed": null,
      "name": "Safari",
      "path": "/Applications/Safari.app/Contents/Info.plist",
      "size": null,
      "type": "pkg",
      "version": "17.4.1"
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T19:17:51.686Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@package-installed@/opensearch-dashboards-highlighted-field@"
    ]
  }
}

Processes

Stateful event 
{
  "_index": "wazuh-states-inventory-processes",
  "_id": "a757d92e92ad65fc1725167420e26e159b68933e",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      }
    },
    "@timestamp": "2025-01-23T19:17:51.686Z",
    "process": {
      "args": null,
      "command_line": null,
      "group": {
        "id": null
      },
      "name": "wazuh-agent",
      "parent": {
        "pid": 77268
      },
      "pid": "78974",
      "real_group": {
        "id": "wheel"
      },
      "real_user": {
        "id": "root"
      },
      "saved_group": {
        "id": null
      },
      "saved_user": {
        "id": null
      },
      "start": 1737659871,
      "thread": {
        "id": null
      },
      "tty": {
        "char_device": {
          "major": null
        }
      },
      "user": {
        "id": "root"
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T19:17:51.686Z"
    ],
    "process.start": [
      "1970-01-21T02:40:59.871Z"
    ]
  },
  "sort": [
    1737659871686
  ]
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "HRaZlJQBUiKAykr1qQau",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      },
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "process-started",
      "category": [
        "process"
      ],
      "created": "2025-01-23T19:17:51.686Z",
      "reason": "Process trustd (PID: trustd) was started",
      "type": [
        "start"
      ]
    },
    "process": {
      "args": null,
      "command_line": null,
      "group": {
        "id": null
      },
      "name": "trustd",
      "parent": {
        "pid": 1
      },
      "pid": "10051",
      "real_group": {
        "id": "staff"
      },
      "real_user": {
        "id": "vagrant"
      },
      "saved_group": {
        "id": null
      },
      "saved_user": {
        "id": null
      },
      "start": 1737645918,
      "thread": {
        "id": null
      },
      "tty": {
        "char_device": {
          "major": null
        }
      },
      "user": {
        "id": "vagrant"
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T19:17:51.686Z"
    ],
    "process.start": [
      "1970-01-21T02:40:45.918Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@process-started@/opensearch-dashboards-highlighted-field@"
    ]
  }
}

Networks

Stateful event 
{
  "_index": "wazuh-states-inventory-networks",
  "_id": "29cc4837fb9f9482f3df265a461c812fc6f4abbe",
  "_version": 3,
  "_score": null,
  "_source": {
    "agent": {
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      }
    },
    "@timestamp": "2025-01-23T19:23:53.489Z",
    "host": {
      "ip": [
        "10.211.55.224"
      ],
      "mac": "00:1c:42:54:cd:0c",
      "network": {
        "egress": {
          "bytes": 7402496,
          "drops": 0,
          "errors": 0,
          "packets": 89370
        },
        "ingress": {
          "bytes": 1380263936,
          "drops": 0,
          "errors": 0,
          "packets": 953394
        }
      }
    },
    "interface": {
      "mtu": 1500,
      "state": "up",
      "type": "ethernet"
    },
    "network": {
      "broadcast": [
        "10.211.55.255"
      ],
      "dhcp": null,
      "gateway": [
        "10.211.55.1"
      ],
      "metric": null,
      "netmask": [
        "255.255.255.0"
      ],
      "protocol": null,
      "type": "ipv4"
    },
    "observer": {
      "ingress": {
        "interface": {
          "alias": "",
          "name": "en0"
        }
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T19:23:53.489Z"
    ]
  },
  "sort": [
    1737660233489
  ]
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "JhaclJQBUiKAykr1QQfU",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      },
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "network-interface-updated",
      "category": [
        "network"
      ],
      "changed_fields": [
        "host.network.ingress.bytes",
        "host.network.ingress.packets",
        "host.network.egress.bytes",
        "host.network.egress.packets"
      ],
      "created": "2025-01-23T19:20:52.971Z",
      "reason": "Network interface en0 updated",
      "type": [
        "change"
      ]
    },
    "host": {
      "ip": [
        "fe80::147e:7268:7168:b93e"
      ],
      "mac": "00:1c:42:54:cd:0c",
      "network": {
        "egress": {
          "bytes": 7379968,
          "drops": 0,
          "errors": 0,
          "packets": 89283,
          "previous": {
            "bytes": 6926336,
            "packets": 89038
          }
        },
        "ingress": {
          "bytes": 1380238336,
          "drops": 0,
          "errors": 0,
          "packets": 953305,
          "previous": {
            "bytes": 1380146176,
            "packets": 952980
          }
        }
      }
    },
    "interface": {
      "mtu": 1500,
      "state": "up",
      "type": "ethernet"
    },
    "network": {
      "broadcast": [],
      "dhcp": null,
      "gateway": [
        "10.211.55.1"
      ],
      "metric": null,
      "netmask": [
        "ffff:ffff:ffff:ffff::"
      ],
      "protocol": null,
      "type": "ipv6"
    },
    "observer": {
      "ingress": {
        "interface": {
          "alias": "",
          "name": "en0"
        }
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T19:20:52.971Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@network-interface-updated@/opensearch-dashboards-highlighted-field@"
    ]
  }
}

Ports

Stateful event 
{
  "_index": "wazuh-states-inventory-ports",
  "_id": "1c5a317df1d892a096aa31970a80dd57caa770c3",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      }
    },
    "@timestamp": "2025-01-23T19:26:53.966Z",
    "destination": {
      "ip": [
        "54.211.158.194"
      ],
      "port": 27000
    },
    "file": {
      "inode": 0
    },
    "host": {
      "network": {
        "egress": {
          "queue": null
        },
        "ingress": {
          "queue": null
        }
      }
    },
    "interface": {
      "state": "established"
    },
    "network": {
      "protocol": "tcp"
    },
    "process": {
      "name": "wazuh-agent",
      "pid": 78974
    },
    "source": {
      "ip": [
        "10.211.55.224"
      ],
      "port": 49514
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-23T19:26:53.966Z"
    ]
  },
  "sort": [
    1737660413966
  ]
}
Stateless event 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "IhaclJQBUiKAykr1QQfU",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "idr-1983-sonoma-14-3145",
        "ip": [
          "10.211.55.224",
          "fe80::147e:7268:7168:b93e"
        ],
        "os": {
          "name": "macOS",
          "type": "Darwin",
          "version": "14.4.1"
        }
      },
      "id": "354e545f-fd72-4017-a99c-988cc890fdb7",
      "name": "idr-1983-sonoma-14-3145",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "destination": {
      "ip": [
        "54.211.158.194"
      ],
      "port": 27000
    },
    "event": {
      "action": "port-closed",
      "category": [
        "network"
      ],
      "created": "2025-01-23T19:20:52.971Z",
      "reason": "Closed connection from source port 49489 to destination port 27000",
      "type": [
        "end"
      ]
    },
    "file": {
      "inode": 0
    },
    "host": {
      "network": {
        "egress": {
          "queue": null
        },
        "ingress": {
          "queue": null
        }
      }
    },
    "interface": {
      "state": "established"
    },
    "network": {
      "protocol": "tcp"
    },
    "process": {
      "name": "wazuh-agent",
      "pid": 78974
    },
    "source": {
      "ip": [
        "10.211.55.224"
      ],
      "port": 49489
    }
  },
  "fields": {
    "event.created": [
      "2025-01-23T19:20:52.971Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@port-closed@/opensearch-dashboards-highlighted-field@"
    ]
  }
}

@wazuhci wazuhci moved this from In progress to In review in XDR+SIEM/Release 5.0.0 Jan 24, 2025
@wazuhci wazuhci moved this from In review to In progress in XDR+SIEM/Release 5.0.0 Jan 24, 2025
@cborla cborla changed the title Optimize DataProvider by Removing Unused Fields in Inventory Module Optimize Inventory Tables by Removing Unused Fields Jan 24, 2025
@wazuhci wazuhci moved this from In progress to Pending final review in XDR+SIEM/Release 5.0.0 Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nbertoldo nbertoldo

Labels
level/task Task issue module/agent module/inventory Inventory module type/enhancement Enhancement issue
Projects
XDR+SIEM/Release 5.0.0
Status: Pending final review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Optimize Inventory Tables by Removing Unused Fields wazuh/wazuh-agent
4 participants
@vikman90 @cborla @davidjiglesias @nbertoldo