From 3a0ffb057d944ce35b7ea4c305655a46b49f3eef Mon Sep 17 00:00:00 2001 From: quebim Date: Fri, 29 Nov 2024 16:44:23 -0300 Subject: [PATCH] Update command event_generator Remove duplicated fields and order the full document Update command ECS index documentation --- .../event-generator/event_generator.py | 57 +++++++++---------- ecs/docs/commands.md | 15 ++++- 2 files changed, 42 insertions(+), 30 deletions(-) diff --git a/ecs/command/event-generator/event_generator.py b/ecs/command/event-generator/event_generator.py index 181eb95b87cd1..e804c1f3ab98e 100644 --- a/ecs/command/event-generator/event_generator.py +++ b/ecs/command/event-generator/event_generator.py @@ -35,41 +35,40 @@ def generate_random_date(initial_date=None, days_range=30): def generate_random_command(include_all_fields=False): - document = {} - if include_all_fields: - document["@timestamp"] = generate_random_date() - document["delivery_timestamp"] = generate_random_date() - document["agent"] = {"groups": [f"group{random.randint(1, 5)}"]} - document["command"] = { - "status": random.choice(["pending", "sent", "success", "failure"]), - "result": { - "code": random.randint(0, 255), - "message": f"Result message {random.randint(1, 1000)}", - "data": f"Result data {random.randint(1, 100)}" - }, - "request_id": str(uuid.uuid4()), - "order_id": str(uuid.uuid4()) - } - # Generate UUIDs for request_id and order_id - document["command"]["request_id"] = str(uuid.uuid4()) - document["command"]["order_id"] = str(uuid.uuid4()) - else: - document = { - "source": random.choice(["Users/Services", "Engine", "Content manager"]), - "user": f"user{random.randint(1, 100)}", - "target": { + command = { + "source": random.choice(["Users/Services", "Engine", "Content manager"]), + "user": f"user{random.randint(1, 100)}", + "target": { "id": f"target{random.randint(1, 10)}", "type": random.choice(["agent", "group", "server"]) - }, - "action": { - "name": random.choice(["restart", "update", "change_group", "apply_policy"]), + }, + "action": { + "name": random.choice(["restart", "update","change_group", "apply_policy"]), "args": [f"/path/to/executable/arg{random.randint(1, 10)}"], "version": f"v{random.randint(1, 5)}" - }, - "timeout": random.randint(10, 100) + }, + "timeout": random.randint(10, 100) + } + if include_all_fields: + document = { + "@timestamp": generate_random_date(), + "delivery_timestamp": generate_random_date(), + "agent": {"groups": [f"group{random.randint(1, 5)}"]}, + "command": { + **command, + "status": random.choice(["pending", "sent", "success", "failure"]), + "result": { + "code": random.randint(0, 255), + "message": f"Result message {random.randint(1, 1000)}", + "data": f"Result data {random.randint(1, 100)}" + }, + "request_id": str(uuid.uuid4()), + "order_id": str(uuid.uuid4()) + } } + return document - return document + return command def generate_random_data(number, include_all_fields=False): diff --git a/ecs/docs/commands.md b/ecs/docs/commands.md index afbd250a9885f..8fe8abe553cc0 100644 --- a/ecs/docs/commands.md +++ b/ecs/docs/commands.md @@ -1,6 +1,6 @@ ## `commands` index data model -> [!NOTE] +> [!NOTE] > rev 0.1 - September 18th, 2024: Add initial model. > rev 0.2 - September 30th, 2024: Change type of `request_id`, `order_id` and `id` to keyword. > rev 0.3 - October 3rd, 2024: Change descriptions for `command.type`, `command.action.type`, `command.request_id`, `command.order_id`. @@ -39,6 +39,8 @@ fields: base: fields: tags: [] + "@timestamp": {} + "delivery_timestamp": {} agent: fields: groups: {} @@ -127,6 +129,17 @@ fields: description: > UUID generated by the Command Manager. ``` +```yml +- name: base + title: Wazuh base fields + root: true + fields: + - name: delivery_timestamp + type: date + level: custom + description: > + The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout. +``` ### Index settings