Add @timestamp and delivery_timestamp fields to the commands index data model

ecs/command/event-generator/event_generator.py

@@ -1,6 +1,7 @@
 #!/bin/python3
 
 import argparse
+import datetime
 import json
 import logging
 import random
@@ -10,6 +11,7 @@
 
 LOG_FILE = 'generate_data.log'
 GENERATED_DATA_FILE = 'generatedData.json'
+DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
 # Default values
 INDEX_NAME = ".commands"
 USERNAME = "admin"
@@ -24,34 +26,48 @@
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
 
-def generate_random_command(include_all_fields=False):
-    document = {
-        "source": random.choice(["Users/Services", "Engine", "Content manager"]),
-        "user": f"user{random.randint(1, 100)}",
-        "target": {
-            "id": f"target{random.randint(1, 10)}",
-            "type": random.choice(["agent", "group", "server"])
-        },
-        "action": {
-            "name": random.choice(["restart", "update", "change_group", "apply_policy"]),
-            "args": [f"/path/to/executable/arg{random.randint(1, 10)}"],
-            "version": f"v{random.randint(1, 5)}"
-        },
-        "timeout": random.randint(10, 100)
-    }
+def generate_random_date(initial_date=None, days_range=30):
+    if initial_date is None:
+        initial_date = datetime.datetime.now()
+    random_days = random.randint(0, days_range)
+    new_timestamp = initial_date + datetime.timedelta(days=random_days)
+    return int(new_timestamp.timestamp() * 1000)  # Convert to milliseconds and return as int
+
 
+def generate_random_command(include_all_fields=False):
+    document = {}
     if include_all_fields:
-        document["agent"]["groups"] = [f"group{random.randint(1, 5)}"],
-        document["command"]["status"] = random.choice(
-            ["pending", "sent", "success", "failure"])
-        document["command"]["result"] = {
+        document["@timestamp"] = generate_random_date()
+        document["delivery_timestamp"] = generate_random_date()
+        document["agent"] = {"groups": [f"group{random.randint(1, 5)}"]}
+        document["command"] = {
+          "status": random.choice(["pending", "sent", "success", "failure"]),
+          "result": {
             "code": random.randint(0, 255),
             "message": f"Result message {random.randint(1, 1000)}",
             "data": f"Result data {random.randint(1, 100)}"
+          },
+          "request_id": str(uuid.uuid4()),
+          "order_id": str(uuid.uuid4())
         }
         # Generate UUIDs for request_id and order_id
         document["command"]["request_id"] = str(uuid.uuid4())
         document["command"]["order_id"] = str(uuid.uuid4())
+    else:
+        document = {
+          "source": random.choice(["Users/Services", "Engine", "Content manager"]),
+          "user": f"user{random.randint(1, 100)}",
+          "target": {
+            "id": f"target{random.randint(1, 10)}",
+            "type": random.choice(["agent", "group", "server"])
+          },
+          "action": {
+            "name": random.choice(["restart", "update", "change_group", "apply_policy"]),
+            "args": [f"/path/to/executable/arg{random.randint(1, 10)}"],
+            "version": f"v{random.randint(1, 5)}"
+          },
+          "timeout": random.randint(10, 100)
+        }
 
     return document
 

ecs/command/fields/custom/base.yml

@@ -0,0 +1,9 @@
+- name: base
+  title: Wazuh base fields
+  root: true
+  fields:
+    - name: delivery_timestamp
+      type: date
+      level: custom
+      description: >
+        The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout.

ecs/command/fields/subset.yml

@@ -4,6 +4,8 @@ fields:
   base:
     fields:
       tags: []
+      "@timestamp": {}
+      "delivery_timestamp": {}
   agent:
     fields:
       groups: {}