New vulnerabilities index #5
Assignees
Labels
Comments
|
Task: Create a sample dataset for testing Done in #6 (comment) |
5 tasks
Define default search fieldsWe are using these ECS fields in the index:
I suggest adding at least one property of each field to the default search fields of the index. We need to have in consideration the significance of these properties, as well as their type, as they can have impact on the searched performed afterward. For example:
These could be:
which translates into the following lines of code that have to be added to the index template: "settings": {
"index.query.default_field": [
"base.tags",
"agent.id",
"ecs.version",
"event.id",
"event.module",
"event.severity",
"host.os.family",
"host.os.full.text",
"host.os.version",
"package.name",
"package.version",
"vulnerability.id",
"vulnerability.description.text",
"vulnerability.severity",
]
}Resources: |
Create the installation/update procedure@wazuh/security-warriors will be in charge of this. |
This comment was marked as resolved.
This comment was marked as resolved.
|
I tested again in a fresh environment and the mappings work as expected.
|
AlexRuiz7
added a commit
that referenced
this issue
Mar 4, 2024
* Add events generator tool for `wazuh-alerts` (#152) * Add events generator tool for wazuh-alerts * Fix typo in README.md Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com> * Make timestamps timezone aware --------- Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com> Co-authored-by: Fede Tux <federico.galland@wazuh.com> * Add `wazuh.manager.name` to VD mappings (#158) * Create compatibility_request.md (#163) Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com> * Add Python module to accomplish OCSF compliant events (#159) * Adding Python script that receives a continuous json stream over stdin and outputs parquet to Security Lake * Adding logstash pipeline for python script * encode_parquet() function fixed to handle lists of dictionaries * Correct error in encode_parquet() * Avoid storing the block ending in the output buffer * Add comments on handling files and streams with pyarrow for future reference * Add s3 handling reference links * Write parquet directly to bucket * Added basics of map_to_ocsf() function * Minor fixes * Map alerts to OCSF as they are read * Add script to convert Wazuh events to OCSF Also adds a simple test script * Add OCSF converter + Parquet encoder + test scripts * Update .gitignore * Include the contents of the alert under unmapped * Add support for different OCSF schema versions * Use custom ocsf module to map alerts * Modify script to use converter class * Code polish and fix errors * Remove unnecessary type declaration from debug flag * Improved parquet encoding * Initial commit for test env's docker-compose.yml * Remove sudo references from docker-compose.yml * Add operational Python module to transform events to OCSF * Create minimal Docker environment to test and develop the integration. * Fix events-generator's Inventory starvation * Remove files present in #147 * Cleanup * Add FQDN hostnames to services for certificates creation * Add S3 Ninja (Mock) (#165) * Setup certificates in Wazuh Indexer and Logstash containers (#166) * Add certificate generator service * Add certificate config to docker compose file * Use secrets for certificates * Disable permission handling inside cert's generator entrypoint.sh * Back to using a bind mount for certs * Have entrypoint.sh generate certs with 1000:1000 ownership * Correct certificate permissions and bind mounting * Add security initialization variable to compose file * Fix permissions on certs generator entrypoint * Add cert generator config file * Remove old cert generator dir * Set indexer hostname right in pipeline file * Roll back commented code --------- Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com> Co-authored-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com> * Fix Logstash pipelines * Remove unused file * Implement OCSF severity normalize function --------- Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com> Co-authored-by: Fede Tux <federico.galland@wazuh.com> Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> --------- Signed-off-by: Álex Ruiz <alejandro.ruiz.becerra@wazuh.com> Co-authored-by: Fede Tux <federico.galland@wazuh.com> Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Introduction
With the new vulnerability detector work (wazuh/wazuh#14153), we are going to create new indices which will contain the information about all active vulnerabilities in all endpoints across a Wazuh environment.
Design
We also need to investigate a way for our indexer package to deploy the indexes and their mappings on a fresh installation, and upgrade them on upgrades.
To test the performance, we will use a canonical environment as described in our documentation.
Plan
Related issues
We will include here related issues outside our plan which might be affected by this development.
The text was updated successfully, but these errors were encountered: