Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enrich index templates with agents' information #525

Closed
1 task
Tracked by #496
GGP1 opened this issue Nov 6, 2024 · 0 comments · Fixed by #544 or #549
Closed
1 task
Tracked by #496

Enrich index templates with agents' information #525

GGP1 opened this issue Nov 6, 2024 · 0 comments · Fixed by #544 or #549
Assignees
Labels
level/task Task issue mvp Minimum Viable Product type/enhancement Enhancement issue

Comments

@GGP1
Copy link
Member

GGP1 commented Nov 6, 2024

Description

Currently, indices store the agent.id and agent.groups fields along with the event information to build a relationship between an agent and its events.

However, we want to make more information available to correlate events from different indices. For example, the agent's information of an event would look like this:

{
  "agent": {
      "id": "2887e1cf-9bf2-431a-b066-a46860080f56",
      "name": "agent-name",
      "type": "endpoint",
      "version": "5.0.0",
      "groups": ["group1", "group2"],
      "host": {
          "hostname": "myhost",
          "os": {
              "name": "Amazon Linux 2",
              "platform": "Linux"
          },
          "ip": ["192.168.1.2"],
          "architecture": "x86_64"
      }
  }
}

Aside from that, we also want to do some adjustments to the .agents index data model itself, which are:

  • Rename agent.is_connected field to agent.status, of type keyword. Expected values are: active. disconnected.
{
  "agent": {
      "id": "2887e1cf-9bf2-431a-b066-a46860080f56",
      "key": "BfDbq0PpcLl9iWatJjY1shGvuQ4KXyOR",
      "name": "agent-name",
      "type": "endpoint",
      "version": "5.0.0",
      "groups": ["group1", "group2"],
      "host": {
          "hostname": "myhost",
          "os": {
              "name": "Amazon Linux 2",
              "platform": "Linux"
          },
          "ip": ["192.168.1.2"],
          "architecture": "x86_64"
      },
      "last_login": "11/11/2024 00:00:00",
      "status": "active"
  }
}

Note

Take in consideration the requirements in #539, as all the Host fields must be included in the mappings.

Functional requirements

Implementation restrictions

Plan

  • Rename agent.is_connected field to agent.status, of type keyword. Expected values are: active. disconnected.
@GGP1 GGP1 added level/task Task issue type/enhancement Enhancement issue labels Nov 6, 2024
@AlexRuiz7 AlexRuiz7 changed the title Update event indices agent information Update stateful index templates with agents' information Nov 6, 2024
@wazuhci wazuhci moved this to Blocked in Release 5.0.0 Nov 6, 2024
@AlexRuiz7 AlexRuiz7 added the mvp Minimum Viable Product label Nov 7, 2024
@wazuhci wazuhci moved this from Blocked to Backlog in Release 5.0.0 Nov 11, 2024
@wazuhci wazuhci moved this from Backlog to Triage in Release 5.0.0 Nov 11, 2024
@AlexRuiz7 AlexRuiz7 changed the title Update stateful index templates with agents' information Update .agents index data model Nov 11, 2024
@AlexRuiz7 AlexRuiz7 mentioned this issue Nov 6, 2024
13 tasks
@wazuhci wazuhci moved this from Triage to Backlog in Release 5.0.0 Nov 11, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 5.0.0 Nov 12, 2024
@AlexRuiz7 AlexRuiz7 changed the title Update .agents index data model Enrich index templates with agents' information Nov 12, 2024
@wazuhci wazuhci moved this from In progress to Done in Release 5.0.0 Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
level/task Task issue mvp Minimum Viable Product type/enhancement Enhancement issue
Projects
Status: Done
3 participants