Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New vulnerabilities index #5

Closed
5 tasks done
gdiazlo opened this issue Aug 8, 2023 · 5 comments
Closed
5 tasks done

New vulnerabilities index #5

gdiazlo opened this issue Aug 8, 2023 · 5 comments
Assignees
Labels
level/epic Epic issue type/enhancement Enhancement issue

Comments

@gdiazlo
Copy link
Member

gdiazlo commented Aug 8, 2023

Introduction

With the new vulnerability detector work (wazuh/wazuh#14153), we are going to create new indices which will contain the information about all active vulnerabilities in all endpoints across a Wazuh environment.

Design

  • The index won't have a timestamp, as it will represent the current global status of all vulnerabilities found in all endpoints
  • The index will contain only ECS fields, and will reject any non-mapped fields with an error
  • The index will have the necessary settings to ensure the new dashboard can work without any performance errors

We also need to investigate a way for our indexer package to deploy the indexes and their mappings on a fresh installation, and upgrade them on upgrades.

To test the performance, we will use a canonical environment as described in our documentation.

Plan

Related issues

We will include here related issues outside our plan which might be affected by this development.

@gdiazlo gdiazlo added level/epic Epic issue type/enhancement Enhancement issue labels Aug 8, 2023
@wazuhci wazuhci moved this to Backlog in Release 4.8.0 Aug 16, 2023
@AlexRuiz7 AlexRuiz7 self-assigned this Sep 7, 2023
@wazuhci wazuhci removed this from Release 4.8.0 Sep 7, 2023
@AlexRuiz7
Copy link
Member

Task: Create a sample dataset for testing

Done in #6 (comment)

@wazuhci wazuhci moved this to Blocked in Release 4.8.0 Sep 21, 2023
@wazuhci wazuhci moved this from Blocked to In progress in Release 4.8.0 Oct 16, 2023
@AlexRuiz7
Copy link
Member

AlexRuiz7 commented Oct 16, 2023

Define default search fields

We are using these ECS fields in the index:

  • base
  • agent
  • ecs
  • event
  • host.os
  • package
  • vulnerability

I suggest adding at least one property of each field to the default search fields of the index. We need to have in consideration the significance of these properties, as well as their type, as they can have impact on the searched performed afterward. For example:

A keyword field type contains a string that is not analyzed. It allows only exact, case-sensitive matches.
Source: OpenSearch's Keyword field type documentation

These could be:

Field Type
base.tags keyword[ ]
agent.id keyword
ecs.version keyword
event.id keyword
event.module keyword
event.severity long
host.os.family keyword
host.os.full.text text
host.os.version keyword
package.name keyword
package.version keyword
vulnerability.id keyword
vulnerability.description.text text
vulnerability.severity keyword

which translates into the following lines of code that have to be added to the index template:

"settings": {
  "index.query.default_field": [
    "base.tags",
    "agent.id",
    "ecs.version",
    "event.id",
    "event.module",
    "event.severity",
    "host.os.family",
    "host.os.full.text",
    "host.os.version",
    "package.name",
    "package.version",
    "vulnerability.id",
    "vulnerability.description.text",
    "vulnerability.severity",
  ]
}

Resources:

@AlexRuiz7
Copy link
Member

Create the installation/update procedure

@wazuh/security-warriors will be in charge of this.

@wazuhci wazuhci moved this from In progress to Pending final review in Release 4.8.0 Oct 17, 2023
@wazuhci wazuhci moved this from Pending final review to Done in Release 4.8.0 Oct 17, 2023
@AlexRuiz7 AlexRuiz7 reopened this Oct 18, 2023
@wazuhci wazuhci moved this from Done to Triage in Release 4.8.0 Oct 18, 2023
@AlexRuiz7

This comment was marked as resolved.

@AlexRuiz7
Copy link
Member

I tested again in a fresh environment and the mappings work as expected.

image

@wazuhci wazuhci moved this from Triage to Done in Release 4.8.0 Oct 18, 2023
AlexRuiz7 added a commit that referenced this issue Mar 4, 2024
* Add events generator tool for `wazuh-alerts` (#152)

* Add events generator tool for wazuh-alerts

* Fix typo in README.md

Signed-off-by: Álex Ruiz <[email protected]>

* Make timestamps timezone aware

---------

Signed-off-by: Álex Ruiz <[email protected]>
Co-authored-by: Fede Tux <[email protected]>

* Add `wazuh.manager.name` to VD mappings (#158)

* Create compatibility_request.md (#163)

Signed-off-by: Álex Ruiz <[email protected]>

* Add Python module to accomplish OCSF compliant events (#159)

* Adding Python script that receives a continuous json stream over stdin and outputs parquet to Security Lake

* Adding logstash pipeline for python script

* encode_parquet() function fixed to handle lists of dictionaries

* Correct error in encode_parquet()

* Avoid storing the block ending in the output buffer

* Add comments on handling files and streams with pyarrow for future reference

* Add s3 handling reference links

* Write parquet directly to bucket

* Added basics of map_to_ocsf() function

* Minor fixes

* Map alerts to OCSF as they are read

* Add script to convert Wazuh events to OCSF

Also adds a simple test script

* Add OCSF converter + Parquet encoder + test scripts

* Update .gitignore

* Include the contents of the alert under unmapped

* Add support for different OCSF schema versions

* Use custom ocsf module to map alerts

* Modify script to use converter class

* Code polish and fix errors

* Remove unnecessary type declaration from debug flag

* Improved parquet encoding

* Initial commit for test env's docker-compose.yml

* Remove sudo references from docker-compose.yml

* Add operational Python module to transform events to OCSF

* Create minimal Docker environment to test and develop the integration.

* Fix events-generator's Inventory starvation

* Remove files present in #147

* Cleanup

* Add FQDN hostnames to services for certificates creation

* Add S3 Ninja (Mock) (#165)

* Setup certificates in Wazuh Indexer and Logstash containers (#166)

* Add certificate generator service

* Add certificate config to docker compose file

* Use secrets for certificates

* Disable permission handling inside cert's generator entrypoint.sh

* Back to using a bind mount for certs

* Have entrypoint.sh generate certs with 1000:1000 ownership

* Correct certificate permissions and bind mounting

* Add security initialization variable to compose file

* Fix permissions on certs generator entrypoint

* Add cert generator config file

* Remove old cert generator dir

* Set indexer hostname right in pipeline file

* Roll back commented code

---------

Signed-off-by: Álex Ruiz <[email protected]>
Co-authored-by: Álex Ruiz <[email protected]>

* Fix Logstash pipelines

* Remove unused file

* Implement OCSF severity normalize function

---------

Signed-off-by: Álex Ruiz <[email protected]>
Co-authored-by: Fede Tux <[email protected]>
Co-authored-by: Federico Gustavo Galland <[email protected]>

---------

Signed-off-by: Álex Ruiz <[email protected]>
Co-authored-by: Fede Tux <[email protected]>
Co-authored-by: Federico Gustavo Galland <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
level/epic Epic issue type/enhancement Enhancement issue
Projects
No open projects
Archived in project
Development

No branches or pull requests

2 participants