Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command manager timeseries index model #565

Closed
4 tasks done
Tracked by #496
AlexRuiz7 opened this issue Nov 25, 2024 · 2 comments · Fixed by #568 or wazuh/wazuh-indexer-plugins#153
Closed
4 tasks done
Tracked by #496

Command manager timeseries index model #565

AlexRuiz7 opened this issue Nov 25, 2024 · 2 comments · Fixed by #568 or wazuh/wazuh-indexer-plugins#153
Assignees
@QU3B1M
Labels
level/task Task issue mvp Minimum Viable Product type/enhancement Enhancement issue

Comments

@AlexRuiz7
Copy link
Member

AlexRuiz7 commented Nov 25, 2024
edited
Loading

Description

In order to schedule the management of the commands by the Command Manager plugin, we need to add a @timestamp field to the index data model. This field is part of the ECS.

This field will be initialized by the plugin. In other words, the value of the field depicts the exact moment on which the command is indexed. We'll also include a field to store the result of delivery_timestamp = timestamp + timeout.

Functional requirements

  • The commands index template has mappings for the @timestamp field.
  • The commands index template has mappings for the delivery_timestamp field.
  • The command manager initializes the commands with a timestamp generated during runtime.
  • The command manager job scheduler uses the timestamp to sort the commands by time.

Implementation restrictions

  • Regenerate the index template using our tools under wazuh-indexer/ecs.
  • The dates follow the date_time_no_millis format. See Full date formats.

Plan
@AlexRuiz7 AlexRuiz7 added level/task Task issue type/enhancement Enhancement issue mvp Minimum Viable Product labels Nov 25, 2024
@wazuhci wazuhci moved this to Backlog in Release 5.0.0 Nov 25, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 5.0.0 Nov 27, 2024
This was referenced Nov 28, 2024
Merged
Merged
@QU3B1M
Copy link
Member

QU3B1M commented Nov 28, 2024
edited
Loading

We decided to add the @timestamp, and delivery_timestamp fields at the document "top level" (same level than the agent, or command groups), the pertinent modifications were made on both repositories, and now are under testing.

Wazuh-indexer updates

The ECS definitions of the command index were modified, creating a base.yml file which stores the delivery_timestamp field definition, and applying the corresponding modifications on the subset.yml file.
The event_generator was updated and the index template was successfully generated

Command index pattern 
{
  "index_patterns": [
    ".commands*"
  ],
  "mappings": {
    "date_detection": false,
    "dynamic": "strict",
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "agent": {
        "properties": {
          "groups": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "command": {
        "properties": {
          "action": {
            "properties": {
              "args": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "order_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "request_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "result": {
            "properties": {
              "code": {
                "type": "short"
              },
              "data": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "message": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "source": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "status": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "target": {
            "properties": {
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "type": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "timeout": {
            "type": "short"
          },
          "user": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "delivery_timestamp": {
        "type": "date"
      }
    }
  },
  "order": 1,
  "settings": {
    "index": {
      "hidden": true,
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
        "command.source",
        "command.target.type",
        "command.status",
        "command.action.name"
      ],
      "refresh_interval": "5s"
    }
  }
}

Wazuh-indexer-plugins updates

Added timestamp and deliveryTimestamp attributes to the command-manager Document model, the attributes are mapped to the @timestamp and delivery_timestamp fields corresponding to each case.

Updated command index template on both plugins' resources.

Command created with a POST request to the command-manager API

{
    "took": 32,
    "timed_out": false,
    "_shards": {
        "total": 1,
        "successful": 1,
        "skipped": 0,
        "failed": 0
    },
    "hits": {
        "total": {
            "value": 1,
            "relation": "eq"
        },
        "max_score": 1.0,
        "hits": [
            {
                "_index": ".commands",
                "_id": "fZuAdJMBy-t6tcAPACYT",
                "_score": 1.0,
                "_source": {
                    "agent": {
                        "groups": [
                            "groups000"
                        ]
                    },
                    "command": {
                        "source": "Engine",
                        "user": "TestUser",
                        "target": {
                            "type": "agent",
                            "id": "TestTarget"
                        },
                        "action": {
                            "name": "restart",
                            "args": [
                                "/test/path/fake/args"
                            ],
                            "version": "v4"
                        },
                        "timeout": 30,
                        "status": "PENDING",
                        "order_id": "fJuAdJMBy-t6tcAPACYT",
                        "request_id": "e5uAdJMBy-t6tcAPACYS"
                    },
                    "@timestamp": 1732826365971,
                    "delivery_timestamp": 1732826395971
                }
            }
        ]
    }
}

@wazuhci wazuhci moved this from In progress to On hold in Release 5.0.0 Nov 29, 2024
@wazuhci wazuhci moved this from On hold to Pending review in Release 5.0.0 Nov 29, 2024
@AlexRuiz7 AlexRuiz7 mentioned this issue Nov 29, 2024
Closed
@wazuhci wazuhci moved this from Pending review to On hold in Release 5.0.0 Nov 29, 2024
@wazuhci wazuhci moved this from On hold to In progress in Release 5.0.0 Nov 29, 2024
@wazuhci wazuhci moved this from In progress to Pending review in Release 5.0.0 Nov 29, 2024
@AlexRuiz7 AlexRuiz7 mentioned this issue Dec 2, 2024
Closed
13 tasks
@wazuhci wazuhci moved this from Pending review to In progress in Release 5.0.0 Dec 2, 2024
@QU3B1M
Copy link
Member

QU3B1M commented Dec 3, 2024
edited
Loading

Updated timestamp and deliveryTimestamp to be of type ZonedDateTime and use the OpenSearch DateUtils library, the timestamp format applied is date_time_no_millis (YYYY-MM-DDTHH:mm:ssZ)

@wazuhci wazuhci moved this from In progress to Pending review in Release 5.0.0 Dec 3, 2024
@wazuhci wazuhci moved this from Pending review to In review in Release 5.0.0 Dec 3, 2024
@wazuhci wazuhci moved this from In review to Done in Release 5.0.0 Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@QU3B1M QU3B1M

Labels
level/task Task issue mvp Minimum Viable Product type/enhancement Enhancement issue
Projects
Release 5.0.0
Status: Done
Milestone
No milestone
2 participants
@AlexRuiz7 @QU3B1M