update osquery and ecs fields in osquery

x-pack/plugins/osquery/public/editor/osquery_tables.ts

@@ -17,7 +17,7 @@ let osqueryTables: TablesJSON | null = null;
 export const getOsqueryTables = () => {
   if (!osqueryTables) {
     // eslint-disable-next-line @typescript-eslint/no-var-requires
-    osqueryTables = normalizeTables(require('../common/schemas/osquery/v5.10.2.json'));
+    osqueryTables = normalizeTables(require('../common/schemas/osquery/v5.13.1.json'));
   }
 
   return osqueryTables;

x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx

@@ -47,8 +47,8 @@ import {
   convertECSMappingToArray,
   convertECSMappingToObject,
 } from '../../../common/utils/converters';
-import ECSSchema from '../../common/schemas/ecs/v8.11.0.json';
-import osquerySchema from '../../common/schemas/osquery/v5.10.2.json';
+import ECSSchema from '../../common/schemas/ecs/v8.12.0.json';
+import osquerySchema from '../../common/schemas/osquery/v5.13.1.json';
 
 import { FieldIcon } from '../../common/lib/kibana';
 import { OsqueryIcon } from '../../components/osquery_icon';
@@ -890,8 +890,8 @@ export const ECSMappingEditorField = React.memo(({ euiFieldProps }: ECSMappingEd
           ?.map((selectItem: { type: string; name: string; alias?: string }) => {
             if (selectItem.type === 'identifier') {
               /*
-                select * from routes, uptime;
-              */
+              select * from routes, uptime;
+            */
               if (ast?.result.length === 1 && selectItem.name === '*') {
                 return reduce(
                   astOsqueryTables,
@@ -916,8 +916,8 @@ export const ECSMappingEditorField = React.memo(({ euiFieldProps }: ECSMappingEd
               }
 
               /*
-                select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;
-              */
+              select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;
+            */
 
               const [table, column] = selectItem.name.includes('.')
                 ? selectItem.name.split('.')
@@ -961,18 +961,18 @@ export const ECSMappingEditorField = React.memo(({ euiFieldProps }: ECSMappingEd
             }
 
             /*
-              SELECT pid, uid, name, ROUND((
-                (user_time + system_time) / (cpu_time.tsb - cpu_time.itsb)
-              ) * 100, 2) AS percentage
-              FROM processes, (
-              SELECT (
-                SUM(user) + SUM(nice) + SUM(system) + SUM(idle) * 1.0) AS tsb,
-                SUM(COALESCE(idle, 0)) + SUM(COALESCE(iowait, 0)) AS itsb
-                FROM cpu_time
-              ) AS cpu_time
-              ORDER BY user_time+system_time DESC
-              LIMIT 5;
-            */
+            SELECT pid, uid, name, ROUND((
+              (user_time + system_time) / (cpu_time.tsb - cpu_time.itsb)
+            ) * 100, 2) AS percentage
+            FROM processes, (
+            SELECT (
+              SUM(user) + SUM(nice) + SUM(system) + SUM(idle) * 1.0) AS tsb,
+              SUM(COALESCE(idle, 0)) + SUM(COALESCE(iowait, 0)) AS itsb
+              FROM cpu_time
+            ) AS cpu_time
+            ORDER BY user_time+system_time DESC
+            LIMIT 5;
+          */
 
             if (selectItem.type === 'function' && selectItem.alias) {
               return [

x-pack/plugins/osquery/scripts/readme.md

@@ -6,8 +6,10 @@ currently manually curated). This assumes the targeted schema files will be in
 `public/editor/osquery_schema`.
 
 ```
-node ecs.js --schema_version=4.6.0                  // (filename without .json extension)
+node ecs.js --schema_version=4.6.0          // filename should be called 4.6.0.json > which will generate v4.6.0-formatted.json
+```
 Possibly it's going to be necessary to transform fields' names into lower case, because CSV exports Fields with Capital Letters. 
 
-node osquery.js --schema_version=4.6.0              // (filename without .json extension)
+node osquery.js --schema_version=4.6.0      // filename should be called 4.6.0.json > which will generate v4.6.0-formatted.json
+
 ```

x-pack/plugins/osquery/scripts/schema_formatter/ecs_formatter.ts

@@ -44,6 +44,7 @@ run(
     const schemaFile = path.join(schemaPath, flags.schema_version as string);
     const schemaData = await require(schemaFile);
 
+    console.log({ schemaPath, schemaFile, schemaData });
     const transformToLowerCase = (obj: Record<string, unknown>) =>
       Object.fromEntries(Object.entries(obj).map(([key, val]) => [key.toLowerCase(), val]));
 

x-pack/plugins/osquery/scripts/schema_formatter/osquery_formatter.ts

@@ -28,7 +28,7 @@ run(
     formattedSchema.push(...elasticTables);
 
     await fs.writeFile(
-      path.join(schemaPath, `v${flags.schema_version}-formatted`),
+      path.join(schemaPath, `v${flags.schema_version}-formatted.json`),
       JSON.stringify(formattedSchema)
     );
   },