Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POC data persistence UX - agent commands #214

Closed
4 tasks
Tracked by #210
asteriscos opened this issue Jun 21, 2024 · 3 comments
Closed
4 tasks
Tracked by #210

POC data persistence UX - agent commands #214

asteriscos opened this issue Jun 21, 2024 · 3 comments
Assignees
@Machi3mfl
Labels
level/task Task issue type/enhancement New feature or request

Comments

@asteriscos
Copy link
Member

asteriscos commented Jun 21, 2024
edited by gdiazlo
Loading

Description

We will implement a new commands feature in Wauzh which will allow sending commands to agent in a generic way. The initial design of the commands feature is described in the Data persistence issue, where this issue is tracked.

These commands will be stored in a Wazuh index, following a defined schema. Also, these commands will be updated over time with feedback from the agent, related to the failure or success during the execution of the command.

We must create a new plugin with the proof of concept of a UI that allows the user to manage the agent commands. The user must be able to see the list, and filter (eg. by finished, pending, failed state).

We might allow the user to create new commands. But these commands won't be written to the index. As only the command API will be able to write to the commands index.

Plan

  • Create a new plugin with a basic layout to manager agent commands
  • Mock data in an index and mock endpoints in the imposter so the UI has a minimum functionality
    • The mocks must be compliant with WCS (Wazuh common schema)
  • The queries and data manipulation should only be possible with an internal user for security reasons.
    • To achieve this evaluate the possibility to use an index that starts with . [dot] so it's not listed with other indexes
  • Determine basic RBAC roles and permissions to limit the interaction with the plugin
@asteriscos asteriscos mentioned this issue Jun 21, 2024
Closed
2 tasks
@asteriscos asteriscos added type/enhancement New feature or request level/task Task issue labels Jun 21, 2024
@wazuhci wazuhci moved this to Triage in XDR+SIEM/Release 5.0.0 Jun 21, 2024
@wazuhci wazuhci moved this from Triage to Backlog in XDR+SIEM/Release 5.0.0 Jun 27, 2024
@Machi3mfl Machi3mfl self-assigned this Aug 5, 2024
@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 5.0.0 Aug 5, 2024
@Machi3mfl
Copy link
Member

Machi3mfl commented Aug 5, 2024
edited
Loading

Update 2024/05/08

  • Add commands index pattern
Screenshot 2024-08-05 at 15 27 12

Screenshot 2024-08-05 at 15 27 29

Screenshot 2024-08-05 at 15 27 46
  • Create commands overview page
Screenshot 2024-08-06 at 08 54 12

@Machi3mfl
Copy link
Member

Machi3mfl commented Aug 6, 2024
edited
Loading

Update 2024/06/08

Screen.Recording.2024-08-06.at.16.26.54.mov

Note

Added more readable data and adjusted command table columns. Also, the command detail flyout was added

@lucianogorza
Copy link

Data analysis

Analyzing the fields established in the commands index, we suggest adding some fields that are listed in the Process ECS:

  • entity_id: To uniquely identify the process.
  • name: To provide the user with a quick way to identify it. Example: ssh.
  • start and end: To know when the process started and ended.
  • command_line: So the user can see the exact command executed.

@asteriscos asteriscos mentioned this issue Aug 22, 2024
Merged
6 tasks
@wazuhci wazuhci moved this from In progress to Done in XDR+SIEM/Release 5.0.0 Aug 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Machi3mfl Machi3mfl

Labels
level/task Task issue type/enhancement New feature or request
Projects
XDR+SIEM/Release 5.0.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Machi3mfl @asteriscos @lucianogorza