Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add @timestamp and delivery_timestamp fields to the commands index data model #568

Merged
merged 11 commits into from
Dec 3, 2024
Merged

Add @timestamp and delivery_timestamp fields to the commands index data model #568

merged 11 commits into from
Dec 3, 2024

Conversation

QU3B1M
Copy link
Member

@QU3B1M QU3B1M commented Nov 28, 2024
edited
Loading

Description

Add the base ECS field @timestamp, and a custom field delivery_timestamp into the commands index data model at the document top level.

delivery_timestamp

    - name: delivery_timestamp
      type: date
      level: custom
      description: >
        The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout.

Update event_generator with the new fields

Functionality validation

Command document generated with the event_generator

{
    "took": 28,
    "timed_out": false,
    "_shards": {
        "total": 1,
        "successful": 1,
        "skipped": 0,
        "failed": 0
    },
    "hits": {
        "total": {
            "value": 1,
            "relation": "eq"
        },
        "max_score": 1.0,
        "hits": [
            {
                "_index": ".commands",
                "_id": "0cefe00b-d525-4880-9131-2a4baadb56d3",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2024-12-21T14:57:31Z",
                    "delivery_timestamp": "2024-12-05T14:57:31Z",
                    "agent": {
                        "groups": [
                            "group1"
                        ]
                    },
                    "command": {
                        "source": "Users/Services",
                        "user": "user73",
                        "target": {
                            "id": "target7",
                            "type": "group"
                        },
                        "action": {
                            "name": "apply_policy",
                            "args": [
                                "/path/to/executable/arg2"
                            ],
                            "version": "v4"
                        },
                        "timeout": 54,
                        "status": "failure",
                        "result": {
                            "code": 143,
                            "message": "Result message 158",
                            "data": "Result data 58"
                        },
                        "request_id": "82a0d79d-c9a5-4c8d-868a-368588472966",
                        "order_id": "621afcab-cc5a-44d4-b7a1-ff2355fb83ad"
                    }
                }
            }
        ]
    }
}

Related Issues

Resolves #565

Check List

  • Functionality includes testing.
  • API changes companion pull request created, if applicable.
  • Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@QU3B1M QU3B1M self-assigned this Nov 28, 2024
@QU3B1M QU3B1M changed the title Enhancement/565 command manager timeseries Implement ECS fields @timestamp and delivery_timestamp to commands index data model Nov 28, 2024
@QU3B1M
Move delivery_timestamp to doc level
123cd3e 
Update command event_generator

Remove delivery_timestamp from custom command fields
@QU3B1M
Move delivery_timestamp definition to a new file
db6147d
@QU3B1M
Rename delivery_timestamp custom group to 'base'
280e36e 
Now delivery_timestamp can be used as part of base

Updated the command subset.yml
@QU3B1M
Copy link
Member Author

QU3B1M commented Nov 28, 2024

Generated command index template

{
  "index_patterns": [
    ".commands*"
  ],
  "mappings": {
    "date_detection": false,
    "dynamic": "strict",
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "agent": {
        "properties": {
          "groups": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "command": {
        "properties": {
          "action": {
            "properties": {
              "args": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "order_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "request_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "result": {
            "properties": {
              "code": {
                "type": "short"
              },
              "data": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "message": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "source": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "status": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "target": {
            "properties": {
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "type": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "timeout": {
            "type": "short"
          },
          "user": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "delivery_timestamp": {
        "type": "date"
      }
    }
  },
  "order": 1,
  "settings": {
    "index": {
      "hidden": true,
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
        "command.source",
        "command.target.type",
        "command.status",
        "command.action.name"
      ],
      "refresh_interval": "5s"
    }
  }
}

@QU3B1M QU3B1M marked this pull request as ready for review November 28, 2024 21:26
@QU3B1M QU3B1M requested a review from a team as a code owner November 28, 2024 21:26
AlexRuiz7
AlexRuiz7 requested changes Nov 29, 2024
View reviewed changes
ecs/command/event-generator/event_generator.py Outdated Show resolved Hide resolved
ecs/command/event-generator/event_generator.py Outdated Show resolved Hide resolved
@AlexRuiz7 AlexRuiz7 changed the title Implement ECS fields @timestamp and delivery_timestamp to commands index data model Add @timestamp and delivery_timestamp fields to the commands index data model Nov 29, 2024
@QU3B1M
Update command event_generator
3a0ffb0 
Remove duplicated fields and order the full document

Update command ECS index documentation
@QU3B1M QU3B1M requested a review from AlexRuiz7 November 29, 2024 19:50
@AlexRuiz7 AlexRuiz7 merged commit e626d3d into master Dec 3, 2024
5 checks passed
@AlexRuiz7 AlexRuiz7 deleted the enhancement/565-command-manager-timeseries branch December 3, 2024 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexRuiz7 AlexRuiz7 AlexRuiz7 approved these changes

Assignees

@QU3B1M QU3B1M

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Command manager timeseries index model
2 participants
@QU3B1M @AlexRuiz7