Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement commands index creation #42

Closed
Tracked by #349
AlexRuiz7 opened this issue Sep 11, 2024 · 2 comments · Fixed by wazuh/wazuh-indexer#413, #83 or wazuh/wazuh-indexer#437
Closed
Tracked by #349

Implement commands index creation #42

AlexRuiz7 opened this issue Sep 11, 2024 · 2 comments · Fixed by wazuh/wazuh-indexer#413, #83 or wazuh/wazuh-indexer#437
Assignees
Labels
level/task Task issue type/enhancement Enhancement issue

Comments

@AlexRuiz7
Copy link
Member

AlexRuiz7 commented Sep 11, 2024

Description

Include the latest version of the commands index template to the Command Manager plugin.

The fields of the command index are described on wazuh/wazuh-indexer#349

Note: this index must be hidden.

@AlexRuiz7 AlexRuiz7 added level/task Task issue type/enhancement Enhancement issue labels Sep 11, 2024
@AlexRuiz7 AlexRuiz7 self-assigned this Sep 11, 2024
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 5.0.0 Sep 11, 2024
@AlexRuiz7 AlexRuiz7 changed the title Implement commands index creation Implement commands index creation Sep 11, 2024
@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 5.0.0 Sep 18, 2024
@AlexRuiz7
Copy link
Member Author

AlexRuiz7 commented Sep 18, 2024

commands index data model

Note

rev 0.1 - September 18th, 2024: Add initial model.
rev 0.2 - September 30th, 2024: Change type of request_id, order_id and id to keyword.
rev 0.3 - October 3rd, 2024: Change descriptions for command.type, command.action.type, command.request_id, command.order_id.
rev 0.4 - October 9th, 2024: Apply changes described in #96 (comment).

Fields summary

This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time.

ECS field Type Description
*agent.groups keyword Agent's groups
*command.source keyword Origin of the request. One of [Users/Services (via Management API), Engine (via Management API), Content manager (directly)].
*command.user keyword The user that originated the request. This user may represent a Management API or Indexer API user depending on the source.
*command.target.id keyword Unique identifier of the destination to send the command to.
*command.target.type keyword The destination type. One of [group, agent, server],
*command.action.name keyword The requested action type. Examples: restart, update, change_group, apply_policy, ...
*command.action.args keyword Array of command arguments, starting with the absolute path to the executable.
*command.action.version keyword Version of the command's schema.
*command.timeout short Time window in which the command has to be sent to its target.
*command.status keyword Status within the Command Manager's context. One of [pending, sent, success, failure].
*command.result.code short Status code returned by the target.
*command.result.message keyword Result message returned by the target.
*command.result.data keyword Result data returned by the target.
*command.request_id keyword UUID generated by the Command Manager.
*command.order_id keyword UUID generated by the Command Manager.

* Custom field.

ECS mapping

---
name: command
fields:
    base:
        fields:
            tags: []
    agent:
        fields:
            groups: {}
    command:
        fields: "*"
---
- name: command
  title: Wazuh commands
  short: Wazuh Inc. custom fields.
  description: >
      This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers.
  type: group
  group: 2
  fields:
      - name: source
        type: keyword
        level: custom
        description: >
            Origin of the request.
      - name: user
        type: keyword
        level: custom
        description: >
            The user that originated the request.
      - name: target.id
        type: keyword
        level: custom
        description: >
            Unique identifier of the destination to send the command to.
      - name: target.type
        type: keyword
        level: custom
        description: >
            The destination type. One of [`group`, `agent`, `server`]
      - name: action.name
        type: keyword
        level: custom
        description: >
            The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ...
      - name: action.args
        type: keyword
        level: custom
        description: >
            Array of command arguments, starting with the absolute path to the executable.
      - name: action.version
        type: keyword
        level: custom
        description: >
            Version of the command's schema.
      - name: timeout
        type: short
        level: custom
        description: >
            Time window in which the command has to be sent to its target.
      - name: status
        type: keyword
        level: custom
        description: >
            Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure'].
      - name: result.code
        type: short
        level: custom
        description: >
            Status code returned by the target.
      - name: result.message
        type: keyword
        level: custom
        description: >
            Result message returned by the target.
      - name: result.data
        type: keyword
        level: custom
        description: >
            Result data returned by the target.
      - name: request_id
        type: keyword
        level: custom
        description: >
            UUID generated by the Command Manager.
      - name: order_id
        type: keyword
        level: custom
        description: >
            UUID generated by the Command Manager.

Index settings

{
    "index_patterns": [".commands*"],
    "priority": 1,
    "template": {
        "settings": {
            "index": {
                "hidden": true,
                "number_of_shards": "1",
                "number_of_replicas": "0",
                "refresh_interval": "5s",
                "query.default_field": [
                    "command.source",
                    "command.target.type",
                    "command.status",
                    "command.action.name"
                ]
            }
        }
    }
}

@AlexRuiz7
Copy link
Member Author

AlexRuiz7 commented Sep 18, 2024

commands index template

{
  "index_patterns": [
    ".commands*"
  ],
  "mappings": {
    "date_detection": false,
    "dynamic": "strict",
    "properties": {
      "agent": {
        "properties": {
          "groups": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "command": {
        "properties": {
          "action": {
            "properties": {
              "args": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "order_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "request_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "result": {
            "properties": {
              "code": {
                "type": "short"
              },
              "data": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "message": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "source": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "status": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "target": {
            "properties": {
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "type": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "timeout": {
            "type": "short"
          },
          "user": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      }
    }
  },
  "order": 1,
  "settings": {
    "index": {
      "hidden": true,
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
        "command.source",
        "command.target.type",
        "command.status",
        "command.action.name"
      ],
      "refresh_interval": "5s"
    }
  }
}

@wazuhci wazuhci moved this from In progress to Pending review in XDR+SIEM/Release 5.0.0 Sep 18, 2024
@wazuhci wazuhci moved this from Pending review to On hold in XDR+SIEM/Release 5.0.0 Sep 23, 2024
@wazuhci wazuhci moved this from On hold to Blocked in XDR+SIEM/Release 5.0.0 Sep 24, 2024
@wazuhci wazuhci moved this from Blocked to In progress in XDR+SIEM/Release 5.0.0 Sep 27, 2024
@wazuhci wazuhci moved this from In progress to Pending review in XDR+SIEM/Release 5.0.0 Sep 30, 2024
@AlexRuiz7 AlexRuiz7 linked a pull request Sep 30, 2024 that will close this issue
8 tasks
@wazuhci wazuhci moved this from Pending review to Pending final review in XDR+SIEM/Release 5.0.0 Sep 30, 2024
@wazuhci wazuhci moved this from Pending final review to Done in XDR+SIEM/Release 5.0.0 Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment