Update command event_generator

Remove duplicated fields and order the full document

Update command ECS index documentation

ecs/command/event-generator/event_generator.py

@@ -35,41 +35,40 @@ def generate_random_date(initial_date=None, days_range=30):
 
 
 def generate_random_command(include_all_fields=False):
-    document = {}
-    if include_all_fields:
-        document["@timestamp"] = generate_random_date()
-        document["delivery_timestamp"] = generate_random_date()
-        document["agent"] = {"groups": [f"group{random.randint(1, 5)}"]}
-        document["command"] = {
-          "status": random.choice(["pending", "sent", "success", "failure"]),
-          "result": {
-            "code": random.randint(0, 255),
-            "message": f"Result message {random.randint(1, 1000)}",
-            "data": f"Result data {random.randint(1, 100)}"
-          },
-          "request_id": str(uuid.uuid4()),
-          "order_id": str(uuid.uuid4())
-        }
-        # Generate UUIDs for request_id and order_id
-        document["command"]["request_id"] = str(uuid.uuid4())
-        document["command"]["order_id"] = str(uuid.uuid4())
-    else:
-        document = {
-          "source": random.choice(["Users/Services", "Engine", "Content manager"]),
-          "user": f"user{random.randint(1, 100)}",
-          "target": {
+    command = {
+        "source": random.choice(["Users/Services", "Engine", "Content manager"]),
+        "user": f"user{random.randint(1, 100)}",
+        "target": {
             "id": f"target{random.randint(1, 10)}",
             "type": random.choice(["agent", "group", "server"])
-          },
-          "action": {
-            "name": random.choice(["restart", "update", "change_group", "apply_policy"]),
+        },
+        "action": {
+            "name": random.choice(["restart", "update","change_group", "apply_policy"]),
             "args": [f"/path/to/executable/arg{random.randint(1, 10)}"],
             "version": f"v{random.randint(1, 5)}"
-          },
-          "timeout": random.randint(10, 100)
+        },
+        "timeout": random.randint(10, 100)
+    }
+    if include_all_fields:
+        document = {
+            "@timestamp": generate_random_date(),
+            "delivery_timestamp": generate_random_date(),
+            "agent": {"groups": [f"group{random.randint(1, 5)}"]},
+            "command": {
+                **command,
+                "status": random.choice(["pending", "sent", "success", "failure"]),
+                "result": {
+                    "code": random.randint(0, 255),
+                    "message": f"Result message {random.randint(1, 1000)}",
+                    "data": f"Result data {random.randint(1, 100)}"
+                },
+                "request_id": str(uuid.uuid4()),
+                "order_id": str(uuid.uuid4())
+            }
         }
+        return document
 
-    return document
+    return command
 
 
 def generate_random_data(number, include_all_fields=False):

ecs/docs/commands.md

@@ -1,6 +1,6 @@
 ## `commands` index data model
 
-> [!NOTE]  
+> [!NOTE]
 > rev 0.1 - September 18th, 2024: Add initial model.
 > rev 0.2 - September 30th, 2024: Change type of `request_id`, `order_id` and `id` to keyword.
 > rev 0.3 - October 3rd, 2024: Change descriptions for `command.type`, `command.action.type`, `command.request_id`, `command.order_id`.
@@ -39,6 +39,8 @@ fields:
   base:
     fields:
       tags: []
+      "@timestamp": {}
+      "delivery_timestamp": {}
   agent:
     fields:
       groups: {}
@@ -127,6 +129,17 @@ fields:
       description: >
         UUID generated by the Command Manager.
 ```
+```yml
+- name: base
+  title: Wazuh base fields
+  root: true
+  fields:
+    - name: delivery_timestamp
+      type: date
+      level: custom
+      description: >
+        The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout.
+```
 
 ### Index settings