From 2c08f43c35099bcf37197b0e44bac1ddf8b1447b Mon Sep 17 00:00:00 2001 From: Guido Modarelli <38738725+guidomodarelli@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:45:10 -0300 Subject: [PATCH] Remove virustotal feature and dashboards in favor of malware dashboard (#7038) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Remove Virustotal from Applications list * Remove Virustotal feature and dashboards * Remove Virustotal feature and dashboards as they are obsolete * Remove VirusTotal * Fix Prettier issues * Update CHANGELOG.md Co-authored-by: Antonio <34042064+Desvelao@users.noreply.github.com> * Add VirusTotal integration for threat detection capabilities * Restore plugins/main/public/controllers/management/components/management/configuration/configuration-settings.js * Restore plugins/main/public/controllers/management/components/management/configuration/integrations/integrations.js * Restore test/cypress * Restore scripts/wazuh-alerts-generator/cli.js * Restore plugins/main/public/components/add-modules-data/sample-data.tsx * Add Virustotal application to Applications list * fix: error registering unwanted application and move VirusTotal sample data to Malware detection category * fix: move VirusTotal sample data to Malware detection category in script * fix: enhance variable name --------- Co-authored-by: Federico Rodriguez Co-authored-by: Antonio <34042064+Desvelao@users.noreply.github.com> Co-authored-by: Antonio David GutiƩrrez --- CHANGELOG.md | 1 + plugins/main/common/constants.ts | 4 +- plugins/main/common/wazuh-modules.ts | 6 - .../add-modules-data/sample-data.tsx | 21 +- .../data-source/pattern/alerts/index.ts | 1 - .../pattern/alerts/virustotal/index.ts | 1 - .../virustotal/virustotal-data-source.ts | 28 - .../common/modules/modules-defaults.tsx | 18 - .../main/public/components/overview/index.ts | 1 - .../virustotal/dashboard/dashboard.tsx | 168 --- .../virustotal/dashboard/dashboard_panels.ts | 989 ------------------ .../dashboard/dashboard_panels_kpis.ts | 304 ------ .../overview/virustotal/dashboard/index.tsx | 1 - .../dashboard/virustotal_dashboard.scss | 10 - .../virustotal/events/virustotal-columns.tsx | 40 - plugins/main/public/utils/applications.ts | 26 - .../agents/index.ts | 90 +- plugins/main/server/routes/wazuh-reporting.ts | 259 +++-- plugins/wazuh-core/common/constants.ts | 2 +- scripts/wazuh-alerts-generator/cli.js | 13 +- 20 files changed, 202 insertions(+), 1781 deletions(-) delete mode 100644 plugins/main/public/components/common/data-source/pattern/alerts/virustotal/index.ts delete mode 100644 plugins/main/public/components/common/data-source/pattern/alerts/virustotal/virustotal-data-source.ts delete mode 100644 plugins/main/public/components/overview/virustotal/dashboard/dashboard.tsx delete mode 100644 plugins/main/public/components/overview/virustotal/dashboard/dashboard_panels.ts delete mode 100644 plugins/main/public/components/overview/virustotal/dashboard/dashboard_panels_kpis.ts delete mode 100644 plugins/main/public/components/overview/virustotal/dashboard/index.tsx delete mode 100644 plugins/main/public/components/overview/virustotal/dashboard/virustotal_dashboard.scss delete mode 100644 plugins/main/public/components/overview/virustotal/events/virustotal-columns.tsx diff --git a/CHANGELOG.md b/CHANGELOG.md index d1b27fe8de..9d1480b279 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ All notable changes to the Wazuh app project will be documented in this file. - Removed agent RBAC filters from dashboard queries [#6945](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6945) - Removed GET /elastic/statistics API endpoint [#7001](https://github.com/wazuh/wazuh-dashboard-plugins/pull/7001) +- Removed VirusTotal application in favor of Malware Detection [#7038](https://github.com/wazuh/wazuh-dashboard-plugins/pull/7038) ## Wazuh v4.9.1 - OpenSearch Dashboards 2.13.0 - Revision 03 diff --git a/plugins/main/common/constants.ts b/plugins/main/common/constants.ts index 9442a5b76f..40ef55817b 100644 --- a/plugins/main/common/constants.ts +++ b/plugins/main/common/constants.ts @@ -81,11 +81,11 @@ export const WAZUH_SAMPLE_ALERTS_CATEGORIES_TYPE_ALERTS = { { audit: true }, { openscap: true }, { ciscat: true }, + { virustotal: true }, { yara: true }, ], [WAZUH_SAMPLE_ALERTS_CATEGORY_THREAT_DETECTION]: [ { vulnerabilities: true }, - { virustotal: true }, { osquery: true }, { docker: true }, { mitre: true }, @@ -243,8 +243,6 @@ export const DATA_SOURCE_FILTER_CONTROLLED_MITRE_ATTACK_RULE = 'mitre-attack-rule'; export const DATA_SOURCE_FILTER_CONTROLLED_MITRE_ATTACK_RULE_ID = 'hidden-mitre-attack-rule-id'; -export const DATA_SOURCE_FILTER_CONTROLLED_VIRUSTOTAL_RULE_GROUP = - 'virustotal-rule-group'; export const DATA_SOURCE_FILTER_CONTROLLED_GOOGLE_CLOUD_RULE_GROUP = 'gcp-rule-group'; export const DATA_SOURCE_FILTER_CONTROLLED_MALWARE_DETECTION_RULE_GROUP = diff --git a/plugins/main/common/wazuh-modules.ts b/plugins/main/common/wazuh-modules.ts index 82eb87c3bf..f251c03f0d 100644 --- a/plugins/main/common/wazuh-modules.ts +++ b/plugins/main/common/wazuh-modules.ts @@ -99,12 +99,6 @@ export const WAZUH_MODULES = { description: 'Security events related to your Google Cloud Platform services, collected directly via GCP API.', // TODO GCP }, - virustotal: { - title: 'VirusTotal', - appId: 'virustotal', - description: - 'Alerts resulting from VirusTotal analysis of suspicious files via an integration with their API.', - }, mitre: { title: 'MITRE ATT&CK', appId: 'mitre-attack', diff --git a/plugins/main/public/components/add-modules-data/sample-data.tsx b/plugins/main/public/components/add-modules-data/sample-data.tsx index ee7ab442ca..d3c33250af 100644 --- a/plugins/main/public/components/add-modules-data/sample-data.tsx +++ b/plugins/main/public/components/add-modules-data/sample-data.tsx @@ -37,7 +37,6 @@ import { malwareDetection, mitreAttack, office365, - virustotal, vulnerabilityDetection, } from '../../utils/applications'; @@ -47,14 +46,18 @@ const sampleSecurityInformationApplication = [ office365.title, googleCloud.title, github.title, -]; + 'authorization', + 'ssh', + 'web', +].join(', '); const sampleThreatDetectionApplication = [ vulnerabilityDetection.title, - virustotal.title, docker.title, mitreAttack.title, -]; +].join(', '); + +const sampleMalwareDetection = ['malware', 'VirusTotal', 'YARA'].join(', '); export default class WzSampleData extends Component { categories: { @@ -77,23 +80,19 @@ export default class WzSampleData extends Component { this.categories = [ { title: 'Sample security information', - description: `Sample data, visualizations and dashboards for security information (${sampleSecurityInformationApplication.join( - ', ', - )}, authorization, ssh, web).`, + description: `Sample data, visualizations and dashboards for security information (${sampleSecurityInformationApplication}).`, image: '', categorySampleAlertsIndex: 'security', }, { title: `Sample ${malwareDetection.title}`, - description: `Sample data, visualizations and dashboards for events of ${malwareDetection.title} (${malwareDetection.title}).`, + description: `Sample data, visualizations and dashboards for events of ${malwareDetection.title} (${sampleMalwareDetection}).`, image: '', categorySampleAlertsIndex: 'auditing-policy-monitoring', }, { title: 'Sample threat detection and response', - description: `Sample data, visualizations and dashboards for threat events of detection and response (${sampleThreatDetectionApplication.join( - ', ', - )}).`, + description: `Sample data, visualizations and dashboards for threat events of detection and response (${sampleThreatDetectionApplication}).`, image: '', categorySampleAlertsIndex: 'threat-detection', }, diff --git a/plugins/main/public/components/common/data-source/pattern/alerts/index.ts b/plugins/main/public/components/common/data-source/pattern/alerts/index.ts index effcfe3e7b..c093c8a4fe 100644 --- a/plugins/main/public/components/common/data-source/pattern/alerts/index.ts +++ b/plugins/main/public/components/common/data-source/pattern/alerts/index.ts @@ -8,7 +8,6 @@ export * from './docker'; export * from './malware-detection'; export * from './vulnerabilities'; export * from './hipaa'; -export * from './virustotal'; export * from './nist-800-53'; export * from './mitre-attack'; export * from './pci-dss'; diff --git a/plugins/main/public/components/common/data-source/pattern/alerts/virustotal/index.ts b/plugins/main/public/components/common/data-source/pattern/alerts/virustotal/index.ts deleted file mode 100644 index ffed0ecacd..0000000000 --- a/plugins/main/public/components/common/data-source/pattern/alerts/virustotal/index.ts +++ /dev/null @@ -1 +0,0 @@ -export * from './virustotal-data-source'; diff --git a/plugins/main/public/components/common/data-source/pattern/alerts/virustotal/virustotal-data-source.ts b/plugins/main/public/components/common/data-source/pattern/alerts/virustotal/virustotal-data-source.ts deleted file mode 100644 index bd477527a1..0000000000 --- a/plugins/main/public/components/common/data-source/pattern/alerts/virustotal/virustotal-data-source.ts +++ /dev/null @@ -1,28 +0,0 @@ -import { tFilter } from '../../../index'; -import { DATA_SOURCE_FILTER_CONTROLLED_VIRUSTOTAL_RULE_GROUP } from '../../../../../../../common/constants'; -import { AlertsDataSource } from '../alerts-data-source'; - -const VIRUSTOTAL_GROUP_KEY = 'rule.groups'; -const VIRUSTOTAL_GROUP_VALUE = 'virustotal'; - -export class VirusTotalDataSource extends AlertsDataSource { - constructor(id: string, title: string) { - super(id, title); - } - - getRuleGroupsFilter() { - return super.getRuleGroupsFilter( - VIRUSTOTAL_GROUP_KEY, - VIRUSTOTAL_GROUP_VALUE, - DATA_SOURCE_FILTER_CONTROLLED_VIRUSTOTAL_RULE_GROUP, - ); - } - - getFixedFilters(): tFilter[] { - return [ - ...super.getFixedFiltersClusterManager(), - ...this.getRuleGroupsFilter(), - ...super.getFixedFilters(), - ]; - } -} diff --git a/plugins/main/public/components/common/modules/modules-defaults.tsx b/plugins/main/public/components/common/modules/modules-defaults.tsx index 926216572a..0fc4b4b5bc 100644 --- a/plugins/main/public/components/common/modules/modules-defaults.tsx +++ b/plugins/main/public/components/common/modules/modules-defaults.tsx @@ -38,7 +38,6 @@ import { gdprColumns } from '../../overview/gdpr/events/gdpr-columns'; import { tscColumns } from '../../overview/tsc/events/tsc-columns'; import { githubColumns } from '../../overview/github/events/github-columns'; import { mitreAttackColumns } from '../../overview/mitre/events/mitre-attack-columns'; -import { virustotalColumns } from '../../overview/virustotal/events/virustotal-columns'; import { malwareDetectionColumns } from '../../overview/malware-detection/events/malware-detection-columns'; import { WAZUH_VULNERABILITIES_PATTERN } from '../../../../common/constants'; import { @@ -55,7 +54,6 @@ import { DashboardAWS, DashboardOffice365, DashboardThreatHunting, - DashboardVirustotal, DashboardGoogleCloud, DashboardVuls, InventoryVuls, @@ -64,7 +62,6 @@ import { DockerDataSource, AlertsVulnerabilitiesDataSource, AWSDataSource, - VirusTotalDataSource, FIMDataSource, GitHubDataSource, MalwareDetectionDataSource, @@ -311,21 +308,6 @@ export const ModulesDefaults = { ], availableFor: ['manager', 'agent'], }, - virustotal: { - tabs: [ - { - id: 'dashboard', - name: 'Dashboard', - buttons: [ButtonExploreAgent, ButtonModuleGenerateReport], - component: DashboardVirustotal, - }, - renderDiscoverTab({ - tableColumns: virustotalColumns, - DataSource: VirusTotalDataSource, - }), - ], - availableFor: ['manager', 'agent'], - }, docker: { init: 'dashboard', tabs: [ diff --git a/plugins/main/public/components/overview/index.ts b/plugins/main/public/components/overview/index.ts index 74f6becf54..03bc993a63 100644 --- a/plugins/main/public/components/overview/index.ts +++ b/plugins/main/public/components/overview/index.ts @@ -12,5 +12,4 @@ export { DashboardPCIDSS } from './pci/dashboards'; export { DashboardOffice365 } from './office/dashboard'; export { DashboardThreatHunting } from './threat-hunting/dashboard'; export { DashboardTSC } from './tsc/dashboards'; -export { DashboardVirustotal } from './virustotal/dashboard'; export { DashboardVuls, InventoryVuls } from './vulnerabilities'; diff --git a/plugins/main/public/components/overview/virustotal/dashboard/dashboard.tsx b/plugins/main/public/components/overview/virustotal/dashboard/dashboard.tsx deleted file mode 100644 index 29cf0cff74..0000000000 --- a/plugins/main/public/components/overview/virustotal/dashboard/dashboard.tsx +++ /dev/null @@ -1,168 +0,0 @@ -import React, { useState, useEffect } from 'react'; -import { getPlugins } from '../../../../kibana-services'; -import { ViewMode } from '../../../../../../../src/plugins/embeddable/public'; -import { SearchResponse } from '../../../../../../../src/core/server'; -import { IndexPattern } from '../../../../../../../src/plugins/data/common'; -import { getDashboardPanels } from './dashboard_panels'; -import { I18nProvider } from '@osd/i18n/react'; -import useSearchBar from '../../../common/search-bar/use-search-bar'; -import { getKPIsPanel } from './dashboard_panels_kpis'; -import { - ErrorFactory, - ErrorHandler, - HttpError, -} from '../../../../react-services/error-management'; -import { withErrorBoundary } from '../../../common/hocs/error-boundary/with-error-boundary'; -import { SampleDataWarning } from '../../../visualize/components/sample-data-warning'; -import { - AlertsDataSourceRepository, - PatternDataSource, - tParsedIndexPattern, - useDataSource, -} from '../../../common/data-source'; -import { LoadingSearchbarProgress } from '../../../common/loading-searchbar-progress/loading-searchbar-progress'; -import { DiscoverNoResults } from '../../../common/no-results/no-results'; -import { VirusTotalDataSource } from '../../../common/data-source/pattern/alerts/virustotal/virustotal-data-source'; -import './virustotal_dashboard.scss'; -import { useReportingCommunicateSearchContext } from '../../../common/hooks/use-reporting-communicate-search-context'; -import { WzSearchBar } from '../../../common/search-bar'; - -const plugins = getPlugins(); - -const DashboardByRenderer = plugins.dashboard.DashboardContainerByValueRenderer; - -const DashboardVT: React.FC = () => { - const AlertsRepository = new AlertsDataSourceRepository(); - const { - filters, - dataSource, - fetchFilters, - fixedFilters, - isLoading: isDataSourceLoading, - fetchData, - setFilters, - } = useDataSource({ - DataSource: VirusTotalDataSource, - repository: AlertsRepository, - }); - - const [results, setResults] = useState({} as SearchResponse); - - const { searchBarProps } = useSearchBar({ - indexPattern: dataSource?.indexPattern as IndexPattern, - filters, - setFilters, - }); - const { query, absoluteDateRange } = searchBarProps; - - useReportingCommunicateSearchContext({ - isSearching: isDataSourceLoading, - totalResults: results?.hits?.total ?? 0, - indexPattern: dataSource?.indexPattern, - filters: fetchFilters, - query: query, - time: absoluteDateRange, - }); - - useEffect(() => { - if (isDataSourceLoading) { - return; - } - fetchData({ - query, - dateRange: absoluteDateRange, - }) - .then(results => { - setResults(results); - }) - .catch(error => { - const searchError = ErrorFactory.create(HttpError, { - error, - message: 'Error fetching data', - }); - ErrorHandler.handleError(searchError); - }); - }, [ - isDataSourceLoading, - JSON.stringify(fetchFilters), - JSON.stringify(query), - JSON.stringify(absoluteDateRange), - ]); - - return ( - - {isDataSourceLoading && !dataSource ? ( - - ) : ( - <> - - {!isDataSourceLoading && dataSource && results?.hits?.total > 0 ? ( - - ) : null} - {dataSource && results?.hits?.total === 0 ? ( - - ) : null} -
0 - ? '' - : 'wz-no-display' - }`} - > - - -
- - )} -
- ); -}; - -export const DashboardVirustotal = withErrorBoundary(DashboardVT); diff --git a/plugins/main/public/components/overview/virustotal/dashboard/dashboard_panels.ts b/plugins/main/public/components/overview/virustotal/dashboard/dashboard_panels.ts deleted file mode 100644 index 1ec019da2b..0000000000 --- a/plugins/main/public/components/overview/virustotal/dashboard/dashboard_panels.ts +++ /dev/null @@ -1,989 +0,0 @@ -import { DashboardPanelState } from '../../../../../../../../src/plugins/dashboard/public/application'; -import { EmbeddableInput } from '../../../../../../../../src/plugins/embeddable/public'; - -/* WARNING: The panel id must be unique including general and agents visualizations. Otherwise, the visualizations will not refresh when we pin an agent, because they are cached by id */ - -/* Overview visualizations */ - -const getVisStateTop5UniqueMaliciousFilesPerAgent = ( - indexPatternId: string, -) => { - return { - id: 'Wazuh-App-Overview-Virustotal-Malicious-Per-Agent', - title: 'Top 5 agents with unique malicious files', - type: 'pie', - params: { - type: 'pie', - addTooltip: true, - addLegend: true, - legendPosition: 'right', - isDonut: true, - labels: { - show: false, - values: true, - last_level: true, - truncate: 100, - }, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [ - { - meta: { - index: 'wazuh-alerts', - negate: true, - disabled: false, - alias: null, - type: 'phrase', - key: 'data.virustotal.malicious', - value: '0', - params: { - query: '0', - type: 'phrase', - }, - }, - query: { - match: { - 'data.virustotal.malicious': { - query: '0', - type: 'phrase', - }, - }, - }, - $state: { - store: 'appState', - }, - }, - ], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'cardinality', - schema: 'metric', - params: { field: 'data.virustotal.source.md5' }, - }, - { - id: '2', - enabled: true, - type: 'terms', - schema: 'segment', - params: { - field: 'agent.name', - size: 5, - order: 'desc', - orderBy: '1', - }, - }, - ], - }, - }; -}; - -const getVisStateLastScannedFiles = (indexPatternId: string) => { - return { - id: 'Wazuh-App-Overview-Virustotal-Last-Files-Pie', - title: 'Last scanned files', - type: 'pie', - params: { - type: 'pie', - addTooltip: true, - addLegend: true, - legendPosition: 'right', - isDonut: true, - labels: { - show: false, - values: true, - last_level: true, - truncate: 100, - }, - }, - uiState: { - vis: { legendOpen: true }, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: { customLabel: 'Files' }, - }, - { - id: '2', - enabled: true, - type: 'terms', - schema: 'segment', - params: { - field: 'data.virustotal.source.file', - size: 5, - order: 'desc', - orderBy: '1', - }, - }, - ], - }, - }; -}; - -const getVisStateAlertsEvolutionByAgents = (indexPatternId: string) => { - return { - id: 'Wazuh-App-Overview-Virustotal-Alerts-Evolution', - title: 'Alerts evolution by agents', - type: 'histogram', - params: { - type: 'histogram', - grid: { categoryLines: false }, - categoryAxes: [ - { - id: 'CategoryAxis-1', - type: 'category', - position: 'bottom', - show: true, - style: {}, - scale: { type: 'linear' }, - labels: { show: true, filter: true, truncate: 100 }, - title: {}, - }, - ], - valueAxes: [ - { - id: 'ValueAxis-1', - name: 'LeftAxis-1', - type: 'value', - position: 'left', - show: true, - style: {}, - scale: { type: 'linear', mode: 'normal' }, - labels: { show: true, rotate: 0, filter: false, truncate: 100 }, - title: { text: 'Count' }, - }, - ], - seriesParams: [ - { - show: true, - type: 'histogram', - mode: 'stacked', - data: { label: 'Count', id: '1' }, - valueAxis: 'ValueAxis-1', - drawLinesBetweenPoints: true, - lineWidth: 2, - showCircles: true, - }, - ], - addTooltip: true, - addLegend: true, - legendPosition: 'right', - times: [], - addTimeMarker: false, - labels: { show: false }, - thresholdLine: { - show: false, - value: 10, - width: 1, - style: 'full', - color: '#E7664C', - }, - dimensions: { - x: { - accessor: 0, - format: { id: 'date', params: { pattern: 'YYYY-MM-DD HH:mm' } }, - params: { - date: true, - interval: 'PT3H', - intervalOpenSearchValue: 3, - intervalOpenSearchUnit: 'h', - format: 'YYYY-MM-DD HH:mm', - bounds: { - min: '2020-04-17T12:11:35.943Z', - max: '2020-04-24T12:11:35.944Z', - }, - }, - label: 'timestamp per 3 hours', - aggType: 'date_histogram', - }, - y: [ - { - accessor: 2, - format: { id: 'number' }, - params: {}, - label: 'Count', - aggType: 'count', - }, - ], - series: [ - { - accessor: 1, - format: { - id: 'string', - params: { - parsedUrl: { - origin: 'http://localhost:5601', - pathname: '/app/kibana', - basePath: '', - }, - }, - }, - params: {}, - label: 'Top 5 unusual terms in agent.name', - aggType: 'significant_terms', - }, - ], - }, - radiusRatio: 50, - }, - uiState: { - vis: { - defaultColors: { - '0 - 7': 'rgb(247,251,255)', - '7 - 13': 'rgb(219,233,246)', - '13 - 20': 'rgb(187,214,235)', - '20 - 26': 'rgb(137,190,220)', - '26 - 33': 'rgb(83,158,205)', - '33 - 39': 'rgb(42,123,186)', - '39 - 45': 'rgb(11,85,159)', - }, - legendOpen: true, - }, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [ - { - meta: { - index: 'wazuh-alerts', - negate: false, - disabled: false, - alias: null, - type: 'exists', - key: 'data.virustotal.positives', - value: 'exists', - }, - exists: { - field: 'data.virustotal.positives', - }, - $state: { - store: 'appState', - }, - }, - { - meta: { - index: 'wazuh-alerts', - negate: true, - disabled: false, - alias: null, - type: 'phrase', - key: 'data.virustotal.positives', - value: '0', - params: { - query: 0, - type: 'phrase', - }, - }, - query: { - match: { - 'data.virustotal.positives': { - query: 0, - type: 'phrase', - }, - }, - }, - $state: { - store: 'appState', - }, - }, - ], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: {}, - }, - { - id: '3', - enabled: true, - type: 'terms', - schema: 'group', - params: { - field: 'agent.name', - orderBy: '1', - order: 'desc', - size: 5, - otherBucket: false, - otherBucketLabel: 'Other', - missingBucket: false, - missingBucketLabel: 'Missing', - }, - }, - { - id: '2', - enabled: true, - type: 'date_histogram', - schema: 'segment', - params: { - field: 'timestamp', - timeRange: { from: 'now-7d', to: 'now' }, - useNormalizedEsInterval: true, - scaleMetricValues: false, - interval: 'auto', - drop_partials: false, - min_doc_count: 1, - extended_bounds: {}, - }, - }, - ], - }, - }; -}; - -const getVisStateMaliciousFilesAlertsEvolution = (indexPatternId: string) => { - return { - id: 'Wazuh-App-Overview-Virustotal-Malicious-Evolution', - title: 'Malicious files alerts evolution', - type: 'histogram', - params: { - type: 'histogram', - grid: { categoryLines: false, style: { color: '#eee' } }, - categoryAxes: [ - { - id: 'CategoryAxis-1', - type: 'category', - position: 'bottom', - show: true, - style: {}, - scale: { type: 'linear' }, - labels: { show: true, filter: true, truncate: 100 }, - title: {}, - }, - ], - valueAxes: [ - { - id: 'ValueAxis-1', - name: 'LeftAxis-1', - type: 'value', - position: 'left', - show: true, - style: {}, - scale: { type: 'linear', mode: 'normal' }, - labels: { show: true, rotate: 0, filter: false, truncate: 100 }, - title: { text: 'Malicious' }, - }, - ], - seriesParams: [ - { - show: 'true', - type: 'histogram', - mode: 'stacked', - data: { label: 'Malicious', id: '1' }, - valueAxis: 'ValueAxis-1', - drawLinesBetweenPoints: true, - showCircles: true, - }, - ], - addTooltip: true, - addLegend: false, - legendPosition: 'right', - times: [], - addTimeMarker: false, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [ - { - meta: { - index: 'wazuh-alerts', - negate: false, - disabled: false, - alias: null, - type: 'exists', - key: 'data.virustotal.malicious', - value: 'exists', - }, - exists: { - field: 'data.virustotal.malicious', - }, - $state: { - store: 'appState', - }, - }, - { - meta: { - index: 'wazuh-alerts', - negate: true, - disabled: false, - alias: null, - type: 'phrase', - key: 'data.virustotal.malicious', - value: '0', - params: { - query: 0, - type: 'phrase', - }, - }, - query: { - match: { - 'data.virustotal.malicious': { - query: 0, - type: 'phrase', - }, - }, - }, - $state: { - store: 'appState', - }, - }, - ], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: { customLabel: 'Malicious' }, - }, - { - id: '2', - enabled: true, - type: 'date_histogram', - schema: 'segment', - params: { - field: 'timestamp', - interval: 'auto', - customInterval: '2h', - min_doc_count: 1, - extended_bounds: {}, - }, - }, - ], - }, - }; -}; - -const getVisStateLastFiles = (indexPatternId: string) => { - return { - id: 'Wazuh-App-Overview-Virustotal-Files-Table', - title: 'Last files', - type: 'table', - params: { - perPage: 10, - showPartialRows: false, - showMeticsAtAllLevels: false, - sort: { columnIndex: 2, direction: 'desc' }, - showTotal: false, - showToolbar: true, - totalFunc: 'sum', - }, - uiState: { - vis: { params: { sort: { columnIndex: 2, direction: 'desc' } } }, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: { customLabel: 'Count' }, - }, - { - id: '4', - enabled: true, - type: 'terms', - schema: 'bucket', - params: { - field: 'data.virustotal.source.file', - size: 10, - order: 'desc', - orderBy: '1', - customLabel: 'File', - }, - }, - { - id: '2', - enabled: true, - type: 'terms', - schema: 'bucket', - params: { - field: 'data.virustotal.permalink', - size: 1, - order: 'desc', - orderBy: '1', - customLabel: 'Link', - }, - }, - ], - }, - }; -}; - -/* Agent visualizations */ - -const getVisStateAgentLastScannedFiles = (indexPatternId: string) => { - return { - id: 'Wazuh-App-Agents-Virustotal-Last-Files-Pie', - title: 'Last scanned files', - type: 'pie', - params: { - type: 'pie', - addTooltip: true, - addLegend: true, - legendPosition: 'right', - isDonut: true, - labels: { show: false, values: true, last_level: true, truncate: 100 }, - }, - uiState: { vis: { legendOpen: true } }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: { customLabel: 'Files' }, - }, - { - id: '2', - enabled: true, - type: 'terms', - schema: 'segment', - params: { - field: 'data.virustotal.source.file', - size: 5, - order: 'desc', - orderBy: '1', - }, - }, - ], - }, - }; -}; - -const getVisStateAgentMaliciousFilesAlertsEvolution = ( - indexPatternId: string, -) => { - return { - id: 'Wazuh-App-Agents-Virustotal-Malicious-Evolution', - title: 'Malicious files alerts Evolution', - type: 'histogram', - params: { - type: 'histogram', - grid: { categoryLines: false, style: { color: '#eee' } }, - categoryAxes: [ - { - id: 'CategoryAxis-1', - type: 'category', - position: 'bottom', - show: true, - style: {}, - scale: { type: 'linear' }, - labels: { show: true, filter: true, truncate: 100 }, - title: {}, - }, - ], - valueAxes: [ - { - id: 'ValueAxis-1', - name: 'LeftAxis-1', - type: 'value', - position: 'left', - show: true, - style: {}, - scale: { type: 'linear', mode: 'normal' }, - labels: { show: true, rotate: 0, filter: false, truncate: 100 }, - title: { text: 'Malicious' }, - }, - ], - seriesParams: [ - { - show: 'true', - type: 'histogram', - mode: 'stacked', - data: { label: 'Malicious', id: '1' }, - valueAxis: 'ValueAxis-1', - drawLinesBetweenPoints: true, - showCircles: true, - }, - ], - addTooltip: true, - addLegend: false, - legendPosition: 'right', - times: [], - addTimeMarker: false, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [ - { - meta: { - index: 'wazuh-alerts', - negate: false, - disabled: false, - alias: null, - type: 'exists', - key: 'data.virustotal.positives', - value: 'exists', - }, - exists: { - field: 'data.virustotal.positives', - }, - $state: { - store: 'appState', - }, - }, - { - meta: { - index: 'wazuh-alerts', - negate: true, - disabled: false, - alias: null, - type: 'phrase', - key: 'data.virustotal.positives', - value: '0', - params: { - query: 0, - type: 'phrase', - }, - }, - query: { - match: { - 'data.virustotal.positives': { - query: 0, - type: 'phrase', - }, - }, - }, - $state: { - store: 'appState', - }, - }, - ], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: { customLabel: 'Malicious' }, - }, - { - id: '2', - enabled: true, - type: 'date_histogram', - schema: 'segment', - params: { - field: 'timestamp', - interval: 'auto', - customInterval: '2h', - min_doc_count: 1, - extended_bounds: {}, - }, - }, - ], - }, - }; -}; - -const getVisStateAgentLastFiles = (indexPatternId: string) => { - return { - id: 'Wazuh-App-Agents-Virustotal-Files-Table', - title: 'Last files', - type: 'table', - params: { - perPage: 10, - showPartialRows: false, - showMeticsAtAllLevels: false, - sort: { columnIndex: 2, direction: 'desc' }, - showTotal: false, - showToolbar: true, - totalFunc: 'sum', - }, - uiState: { - vis: { params: { sort: { columnIndex: 2, direction: 'desc' } } }, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: { customLabel: 'Count' }, - }, - { - id: '4', - enabled: true, - type: 'terms', - schema: 'bucket', - params: { - field: 'data.virustotal.source.file', - size: 10, - order: 'desc', - orderBy: '1', - customLabel: 'File', - }, - }, - { - id: '2', - enabled: true, - type: 'terms', - schema: 'bucket', - params: { - field: 'data.virustotal.permalink', - size: 1, - order: 'desc', - orderBy: '1', - missingBucket: true, - missingBucketLabel: '-', - customLabel: 'Link', - }, - }, - ], - }, - }; -}; - -/* Definitiion of panels */ - -export const getDashboardPanels = ( - indexPatternId: string, - pinnedAgent?: boolean, -): { - [panelId: string]: DashboardPanelState< - EmbeddableInput & { [k: string]: unknown } - >; -} => { - const pinnedAgentPanels = { - '6': { - gridData: { - w: 12, - h: 9, - x: 0, - y: 0, - i: '6', - }, - type: 'visualization', - explicitInput: { - id: '6', - savedVis: getVisStateAgentLastScannedFiles(indexPatternId), - }, - }, - '7': { - gridData: { - w: 36, - h: 9, - x: 12, - y: 0, - i: '7', - }, - type: 'visualization', - explicitInput: { - id: '7', - savedVis: getVisStateAgentMaliciousFilesAlertsEvolution(indexPatternId), - }, - }, - '8': { - gridData: { - w: 48, - h: 20, - x: 0, - y: 9, - i: '8', - }, - type: 'visualization', - explicitInput: { - id: '8', - savedVis: getVisStateAgentLastFiles(indexPatternId), - }, - }, - }; - - const panels = { - '1': { - gridData: { - w: 24, - h: 13, - x: 0, - y: 0, - i: '1', - }, - type: 'visualization', - explicitInput: { - id: '1', - savedVis: getVisStateTop5UniqueMaliciousFilesPerAgent(indexPatternId), - }, - }, - '2': { - gridData: { - w: 24, - h: 13, - x: 28, - y: 0, - i: '2', - }, - type: 'visualization', - explicitInput: { - id: '2', - savedVis: getVisStateLastScannedFiles(indexPatternId), - }, - }, - '3': { - gridData: { - w: 48, - h: 20, - x: 0, - y: 13, - i: '3', - }, - type: 'visualization', - explicitInput: { - id: '3', - savedVis: getVisStateAlertsEvolutionByAgents(indexPatternId), - }, - }, - '4': { - gridData: { - w: 48, - h: 9, - x: 0, - y: 23, - i: '4', - }, - type: 'visualization', - explicitInput: { - id: '4', - savedVis: getVisStateMaliciousFilesAlertsEvolution(indexPatternId), - }, - }, - '5': { - gridData: { - w: 48, - h: 20, - x: 0, - y: 32, - i: '5', - }, - type: 'visualization', - explicitInput: { - id: '5', - savedVis: getVisStateLastFiles(indexPatternId), - }, - }, - }; - - return pinnedAgent ? pinnedAgentPanels : panels; -}; diff --git a/plugins/main/public/components/overview/virustotal/dashboard/dashboard_panels_kpis.ts b/plugins/main/public/components/overview/virustotal/dashboard/dashboard_panels_kpis.ts deleted file mode 100644 index 3a738bcc66..0000000000 --- a/plugins/main/public/components/overview/virustotal/dashboard/dashboard_panels_kpis.ts +++ /dev/null @@ -1,304 +0,0 @@ -import { DashboardPanelState } from '../../../../../../../../src/plugins/dashboard/public/application'; -import { EmbeddableInput } from '../../../../../../../../src/plugins/embeddable/public'; - -const getVisStateTotalMalicious = (indexPatternId: string) => { - return { - id: 'Wazuh-App-Overview-Virustotal-Total-Malicious', - title: 'Total Malicious', - type: 'metric', - params: { - addTooltip: true, - addLegend: false, - type: 'metric', - metric: { - percentageMode: false, - useRanges: false, - colorSchema: 'Reds', - metricColorMode: 'Labels', - colorsRange: [ - { - from: 0, - to: 0, - }, - { - from: 0, - to: 0, - }, - ], - labels: { - show: true, - }, - invertColors: false, - style: { - bgFill: '#000', - bgColor: false, - labelColor: false, - subText: '', - fontSize: 40, - }, - }, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: { customLabel: ' ' }, - }, - { - id: '2', - enabled: true, - type: 'filters', - params: { - filters: [ - { - input: { - query: 'data.virustotal.malicious: 1', - language: 'kuery', - }, - label: '- Total malicious', - }, - ], - }, - schema: 'group', - }, - ], - }, - }; -}; - -const getVisStateTotalPositives = (indexPatternId: string) => { - return { - id: 'Wazuh-App-Overview-Virustotal-Total-Positives', - title: 'Total Positives', - type: 'metric', - params: { - addTooltip: true, - addLegend: false, - type: 'metric', - metric: { - percentageMode: false, - useRanges: false, - colorSchema: 'Greens', - metricColorMode: 'Labels', - colorsRange: [ - { - from: 0, - to: 0, - }, - { - from: 0, - to: 0, - }, - ], - labels: { - show: true, - }, - invertColors: false, - style: { - bgFill: '#000', - bgColor: false, - labelColor: false, - subText: '', - fontSize: 40, - }, - }, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: { customLabel: ' ' }, - }, - { - id: '2', - enabled: true, - type: 'filters', - params: { - filters: [ - { - input: { - query: 'data.virustotal.positives: *', - language: 'kuery', - }, - label: '- Total Positives', - }, - ], - }, - schema: 'group', - }, - ], - }, - }; -}; - -const getVisStateTotal = (indexPatternId: string) => { - return { - id: 'Wazuh-App-Overview-Virustotal-Total', - title: 'Total', - type: 'metric', - params: { - addTooltip: true, - addLegend: false, - type: 'metric', - metric: { - percentageMode: false, - useRanges: false, - colorSchema: 'Greens', - metricColorMode: 'Labels', - colorsRange: [ - { - from: 0, - to: 0, - }, - { - from: 0, - to: 0, - }, - ], - labels: { - show: true, - }, - invertColors: false, - style: { - bgFill: '#000', - bgColor: false, - labelColor: false, - subText: '', - fontSize: 40, - }, - }, - }, - data: { - searchSource: { - query: { - language: 'kuery', - query: '', - }, - filter: [], - index: indexPatternId, - }, - references: [ - { - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - id: indexPatternId, - }, - ], - aggs: [ - { - id: '1', - enabled: true, - type: 'count', - schema: 'metric', - params: { customLabel: ' ' }, - }, - { - id: '2', - enabled: true, - type: 'filters', - params: { - filters: [ - { - input: { - query: 'data.virustotal:*', - language: 'kuery', - }, - label: '- Total', - }, - ], - }, - schema: 'group', - }, - ], - }, - }; -}; - -export const getKPIsPanel = ( - indexPatternId: string, -): { - [panelId: string]: DashboardPanelState< - EmbeddableInput & { [k: string]: unknown } - >; -} => { - return { - '1': { - gridData: { - w: 12, - h: 6, - x: 6, - y: 0, - i: '1', - }, - type: 'visualization', - explicitInput: { - id: '1', - savedVis: getVisStateTotalMalicious(indexPatternId), - }, - }, - '2': { - gridData: { - w: 12, - h: 6, - x: 18, - y: 0, - i: '2', - }, - type: 'visualization', - explicitInput: { - id: '2', - savedVis: getVisStateTotalPositives(indexPatternId), - }, - }, - '3': { - gridData: { - w: 12, - h: 6, - x: 30, - y: 0, - i: '3', - }, - type: 'visualization', - explicitInput: { - id: '3', - savedVis: getVisStateTotal(indexPatternId), - }, - }, - }; -}; diff --git a/plugins/main/public/components/overview/virustotal/dashboard/index.tsx b/plugins/main/public/components/overview/virustotal/dashboard/index.tsx deleted file mode 100644 index b58b6c9229..0000000000 --- a/plugins/main/public/components/overview/virustotal/dashboard/index.tsx +++ /dev/null @@ -1 +0,0 @@ -export * from './dashboard'; diff --git a/plugins/main/public/components/overview/virustotal/dashboard/virustotal_dashboard.scss b/plugins/main/public/components/overview/virustotal/dashboard/virustotal_dashboard.scss deleted file mode 100644 index 6e8f3eab43..0000000000 --- a/plugins/main/public/components/overview/virustotal/dashboard/virustotal_dashboard.scss +++ /dev/null @@ -1,10 +0,0 @@ -.virustotal-dashboard-responsive { - @media (max-width: 767px) { - .react-grid-layout { - height: auto !important; - } - .dshLayout-isMaximizedPanel { - height: calc(100vh - 44px) !important; - } - } -} diff --git a/plugins/main/public/components/overview/virustotal/events/virustotal-columns.tsx b/plugins/main/public/components/overview/virustotal/events/virustotal-columns.tsx deleted file mode 100644 index 790561a9e4..0000000000 --- a/plugins/main/public/components/overview/virustotal/events/virustotal-columns.tsx +++ /dev/null @@ -1,40 +0,0 @@ -import { tDataGridColumn } from '../../../common/data-grid'; -import React from 'react'; -import { EuiLink } from '@elastic/eui'; - -export const virustotalColumns: tDataGridColumn[] = [ - { - id: 'timestamp', - isSortable: true, - defaultSortDirection: 'desc', - }, - { - id: 'agent.name', - }, - { - id: 'data.virustotal.source.file', - }, - { - id: 'data.virustotal.permalink', - render: value => { - if (!value) { - return '-'; - } else { - return ( - - {value} - - ); - } - }, - }, - { - id: 'data.virustotal.malicious', - }, - { - id: 'data.virustotal.positives', - }, - { - id: 'data.virustotal.total', - }, -]; diff --git a/plugins/main/public/utils/applications.ts b/plugins/main/public/utils/applications.ts index 4db8e2d751..76ecbc060c 100644 --- a/plugins/main/public/utils/applications.ts +++ b/plugins/main/public/utils/applications.ts @@ -232,31 +232,6 @@ export const mitreAttack = { }`, }; -export const virustotal = { - category: 'wz-category-threat-intelligence', - id: 'virustotal', - title: i18n.translate('wz-app-virustotal-title', { - defaultMessage: 'VirusTotal', - }), - breadcrumbLabel: i18n.translate('wz-app-virustotal-breadcrumbLabel', { - defaultMessage: 'VirusTotal', - }), - description: i18n.translate('wz-app-virustotal-description', { - defaultMessage: - 'Alerts resulting from VirusTotal analysis of suspicious files via an integration with their API.', - }), - euiIconType: 'monitoringApp', - order: 303, - showInOverviewApp: true, - showInAgentMenu: true, - redirectTo: () => - `/overview/?tab=virustotal&tabView=dashboard${ - store.getState()?.appStateReducers?.currentAgentData?.id - ? `&agentId=${store.getState()?.appStateReducers?.currentAgentData?.id}` - : '' - }`, -}; - const pciDss = { category: 'wz-category-security-operations', id: 'pci-dss', @@ -841,7 +816,6 @@ export const Applications = [ threatHunting, vulnerabilityDetection, mitreAttack, - virustotal, pciDss, hipaa, gdpr, diff --git a/plugins/main/server/lib/reporting/summary-tables-definitions/agents/index.ts b/plugins/main/server/lib/reporting/summary-tables-definitions/agents/index.ts index 46dee71df3..c84014feea 100644 --- a/plugins/main/server/lib/reporting/summary-tables-definitions/agents/index.ts +++ b/plugins/main/server/lib/reporting/summary-tables-definitions/agents/index.ts @@ -6,15 +6,13 @@ const generalAlertsSummary = { AggregationFields['rule.id'], AggregationFields['rule.description'], AggregationFields['rule.level'], - ] -} + ], +}; const generalGroupsSummary = { title: 'Groups summary', - aggs: [ - AggregationFields['rule.groups'], - ] -} + aggs: [AggregationFields['rule.groups']], +}; const awsAlertsSummary = { title: 'Alerts summary', @@ -22,33 +20,24 @@ const awsAlertsSummary = { AggregationFields['rule.id'], AggregationFields['rule.description'], AggregationFields['rule.level'], - ] -} + ], +}; const fimAlertsSummary = { title: 'Alerts summary', aggs: [ AggregationFields['syscheck.path'], AggregationFields['rule.description'], - ] -} + ], +}; const gcpAlertsSummary = { title: 'Alerts summary', aggs: [ AggregationFields['rule.id'], AggregationFields['rule.description'], AggregationFields['rule.level'], - ] -} - -const virustotalAlertsSummary = { - title: 'Alerts summary', - aggs: [ - AggregationFields['rule.id'], - AggregationFields['rule.description'], - AggregationFields['rule.level'], - ] -} + ], +}; const osqueryAlertsSummary = { title: 'Alerts summary', @@ -58,8 +47,8 @@ const osqueryAlertsSummary = { AggregationFields['agent.name'], AggregationFields['data.osquery.pack'], AggregationFields['data.osquery.calendarTime'], - ] -} + ], +}; const mitreAlertsSummary = { title: 'Alerts summary', @@ -67,8 +56,8 @@ const mitreAlertsSummary = { AggregationFields['rule.id'], AggregationFields['rule.description'], AggregationFields['rule.level'], - ] -} + ], +}; const ciscatAlertsSummary = { title: 'Alerts summary', @@ -76,16 +65,16 @@ const ciscatAlertsSummary = { AggregationFields['data.cis.rule_title'], AggregationFields['data.cis.group'], AggregationFields['data.cis.result'], - ] -} + ], +}; const pmAlertsSummary = { title: 'Alerts summary', aggs: [ AggregationFields['rule.description'], AggregationFields['data.title'], - ] -} + ], +}; const tscAlertsSummary = { title: 'Alerts summary', @@ -93,8 +82,8 @@ const tscAlertsSummary = { AggregationFields['agent.name'], AggregationFields['rule.tsc'], AggregationFields['rule.description'], - ] -} + ], +}; const githubAlertsSummary = { title: 'Alerts summary', @@ -102,18 +91,14 @@ const githubAlertsSummary = { AggregationFields['agent.name'], AggregationFields['data.github.org'], AggregationFields['rule.description'], - ] -} + ], +}; // 'Wazuh-App-Agents-GDPR-Last-alerts' const gdprLastAlerts = { title: 'Last alerts', - aggs: [ - AggregationFields['rule.gdpr'], - AggregationFields['rule.description'], - ] - -} + aggs: [AggregationFields['rule.gdpr'], AggregationFields['rule.description']], +}; // 'Wazuh-App-Agents-PCI-Last-alerts' const pciLastAlerts = { @@ -121,8 +106,8 @@ const pciLastAlerts = { aggs: [ AggregationFields['rule.pci_dss'], AggregationFields['rule.description'], - ] -} + ], +}; // 'Wazuh-App-Agents-NIST-Last-alerts' const nistLastAlerts = { @@ -131,8 +116,8 @@ const nistLastAlerts = { AggregationFields['rule.nist_800_53'], AggregationFields['rule.level'], AggregationFields['rule.description'], - ] -} + ], +}; // 'Wazuh-App-Agents-HIPAA-Last-alerts' const hipaaLastAlerts = { @@ -141,8 +126,8 @@ const hipaaLastAlerts = { AggregationFields['rule.hipaa'], AggregationFields['rule.level'], AggregationFields['rule.description'], - ] -} + ], +}; // 'Wazuh-App-Agents-OSCAP-Last-alerts' const oscapLastAlerts = { @@ -150,8 +135,8 @@ const oscapLastAlerts = { aggs: [ AggregationFields['data.oscap.check.title'], AggregationFields['data.oscap.scan.profile.title'], - ] -} + ], +}; // 'Wazuh-App-Agents-Audit-Last-alerts' const auditLastAlerts = { @@ -160,8 +145,8 @@ const auditLastAlerts = { AggregationFields['rule.description'], AggregationFields['data.audit.exe'], AggregationFields['data.audit.type'], - ] -} + ], +}; const dockerAlertsSummary = { title: 'Events summary', @@ -169,8 +154,8 @@ const dockerAlertsSummary = { AggregationFields['data.docker.Actor.Attributes.name'], AggregationFields['data.docker.Action'], AggregationFields['timestamp'], - ] -} + ], +}; export default { general: [generalAlertsSummary, generalGroupsSummary], @@ -181,7 +166,6 @@ export default { nist: [nistLastAlerts], gcp: [gcpAlertsSummary], tsc: [tscAlertsSummary], - virustotal: [virustotalAlertsSummary], osquery: [osqueryAlertsSummary], mitre: [mitreAlertsSummary], ciscat: [ciscatAlertsSummary], @@ -191,4 +175,4 @@ export default { gdpr: [gdprLastAlerts], pci: [pciLastAlerts], docker: [dockerAlertsSummary], -} +}; diff --git a/plugins/main/server/routes/wazuh-reporting.ts b/plugins/main/server/routes/wazuh-reporting.ts index 7f78a27458..fe4fde4d70 100644 --- a/plugins/main/server/routes/wazuh-reporting.ts +++ b/plugins/main/server/routes/wazuh-reporting.ts @@ -18,16 +18,23 @@ export function WazuhReportingRoutes(router: IRouter) { const agentIDValidation = schema.string({ minLength: 3, - validate: (agentID: string) => /^\d{3,}$/.test(agentID) ? undefined : 'must be 0-9 are allowed' + validate: (agentID: string) => + /^\d{3,}$/.test(agentID) ? undefined : 'must be 0-9 are allowed', }); const groupIDValidation = schema.string({ minLength: 1, - validate: (agentID: string) => /^(?!^(\.{1,2}|all)$)[\w\.\-]+$/.test(agentID) ? undefined : 'must be A-z, 0-9, _, . are allowed. It must not be ., .. or all.' + validate: (agentID: string) => + /^(?!^(\.{1,2}|all)$)[\w\.\-]+$/.test(agentID) + ? undefined + : 'must be A-z, 0-9, _, . are allowed. It must not be ., .. or all.', }); const ReportFilenameValidation = schema.string({ - validate: (agentID: string) => /^[\w\-\.]+\.pdf$/.test(agentID) ? undefined : 'must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf.' + validate: (agentID: string) => + /^[\w\-\.]+\.pdf$/.test(agentID) + ? undefined + : 'must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf.', }); const moduleIDValidation = schema.oneOf([ @@ -43,7 +50,6 @@ export function WazuhReportingRoutes(router: IRouter) { schema.literal('ciscat'), schema.literal('vuls'), schema.literal('mitre'), - schema.literal('virustotal'), schema.literal('docker'), schema.literal('osquery'), schema.literal('oscap'), @@ -54,129 +60,154 @@ export function WazuhReportingRoutes(router: IRouter) { schema.literal('tsc'), ]); - router.post({ - path: '/reports/modules/{moduleID}', - validate: { - body: schema.object({ - array: schema.any(), - browserTimezone: schema.string(), - serverSideQuery: schema.maybe(schema.any()), - filters: schema.maybe(schema.any()), - agents: schema.maybe(schema.oneOf([agentIDValidation, schema.boolean()])), - components: schema.maybe(schema.any()), - searchBar: schema.maybe(schema.string()), - section: schema.maybe(schema.string()), - tab: schema.string(), - tables: schema.maybe(schema.any()), - time: schema.oneOf([schema.object({ - from: schema.string(), - to: schema.string() - }), schema.string()]), - indexPatternTitle: schema.string(), - apiId: schema.string() - }), - params: schema.object({ - moduleID: moduleIDValidation - }) - } - }, - (context, request, response) => ctrl.createReportsModules(context, request, response) + router.post( + { + path: '/reports/modules/{moduleID}', + validate: { + body: schema.object({ + array: schema.any(), + browserTimezone: schema.string(), + serverSideQuery: schema.maybe(schema.any()), + filters: schema.maybe(schema.any()), + agents: schema.maybe( + schema.oneOf([agentIDValidation, schema.boolean()]), + ), + components: schema.maybe(schema.any()), + searchBar: schema.maybe(schema.string()), + section: schema.maybe(schema.string()), + tab: schema.string(), + tables: schema.maybe(schema.any()), + time: schema.oneOf([ + schema.object({ + from: schema.string(), + to: schema.string(), + }), + schema.string(), + ]), + indexPatternTitle: schema.string(), + apiId: schema.string(), + }), + params: schema.object({ + moduleID: moduleIDValidation, + }), + }, + }, + (context, request, response) => + ctrl.createReportsModules(context, request, response), ); - router.post({ - path: '/reports/groups/{groupID}', - validate: { - body: schema.object({ - browserTimezone: schema.string(), - filters: schema.maybe(schema.any()), - components: schema.maybe(schema.any()), - section: schema.maybe(schema.string()), - apiId: schema.string() - }), - params: schema.object({ - groupID: groupIDValidation - }) - } - }, - (context, request, response) => ctrl.createReportsGroups(context, request, response) + router.post( + { + path: '/reports/groups/{groupID}', + validate: { + body: schema.object({ + browserTimezone: schema.string(), + filters: schema.maybe(schema.any()), + components: schema.maybe(schema.any()), + section: schema.maybe(schema.string()), + apiId: schema.string(), + }), + params: schema.object({ + groupID: groupIDValidation, + }), + }, + }, + (context, request, response) => + ctrl.createReportsGroups(context, request, response), ); - router.post({ - path: '/reports/agents/{agentID}', - validate: { - body: schema.object({ - browserTimezone: schema.string(), - filters: schema.any(), - components: schema.maybe(schema.any()), - section: schema.maybe(schema.string()), - apiId: schema.string() - }), - params: schema.object({ - agentID: agentIDValidation - }) - } - }, - (context, request, response) => ctrl.createReportsAgentsConfiguration(context, request, response) + router.post( + { + path: '/reports/agents/{agentID}', + validate: { + body: schema.object({ + browserTimezone: schema.string(), + filters: schema.any(), + components: schema.maybe(schema.any()), + section: schema.maybe(schema.string()), + apiId: schema.string(), + }), + params: schema.object({ + agentID: agentIDValidation, + }), + }, + }, + (context, request, response) => + ctrl.createReportsAgentsConfiguration(context, request, response), ); - router.post({ - path: '/reports/agents/{agentID}/inventory', - validate: { - body: schema.object({ - array: schema.any(), - browserTimezone: schema.string(), - serverSideQuery: schema.maybe(schema.any()), - filters: schema.maybe(schema.any()), - agents: schema.maybe(schema.oneOf([schema.string(), schema.boolean()])), - components: schema.maybe(schema.any()), - searchBar: schema.maybe(schema.oneOf([schema.string(), schema.boolean()])), - section: schema.maybe(schema.string()), - tab: schema.string(), - tables: schema.maybe(schema.any()), - time: schema.oneOf([schema.object({ - from: schema.string(), - to: schema.string() - }), schema.string()]), - indexPatternTitle: schema.string(), - apiId: schema.string() - }), - params: schema.object({ - agentID: agentIDValidation - }) - } - }, - (context, request, response) => ctrl.createReportsAgentsInventory(context, request, response) + router.post( + { + path: '/reports/agents/{agentID}/inventory', + validate: { + body: schema.object({ + array: schema.any(), + browserTimezone: schema.string(), + serverSideQuery: schema.maybe(schema.any()), + filters: schema.maybe(schema.any()), + agents: schema.maybe( + schema.oneOf([schema.string(), schema.boolean()]), + ), + components: schema.maybe(schema.any()), + searchBar: schema.maybe( + schema.oneOf([schema.string(), schema.boolean()]), + ), + section: schema.maybe(schema.string()), + tab: schema.string(), + tables: schema.maybe(schema.any()), + time: schema.oneOf([ + schema.object({ + from: schema.string(), + to: schema.string(), + }), + schema.string(), + ]), + indexPatternTitle: schema.string(), + apiId: schema.string(), + }), + params: schema.object({ + agentID: agentIDValidation, + }), + }, + }, + (context, request, response) => + ctrl.createReportsAgentsInventory(context, request, response), ); // Fetch specific report - router.get({ - path: '/reports/{name}', - validate: { - params: schema.object({ - name: ReportFilenameValidation - }) - } - }, - (context, request, response) => ctrl.getReportByName(context, request, response) + router.get( + { + path: '/reports/{name}', + validate: { + params: schema.object({ + name: ReportFilenameValidation, + }), + }, + }, + (context, request, response) => + ctrl.getReportByName(context, request, response), ); // Delete specific report - router.delete({ - path: '/reports/{name}', - validate: { - params: schema.object({ - name: ReportFilenameValidation - }) - } - }, - (context, request, response) => ctrl.deleteReportByName(context, request, response) - ) + router.delete( + { + path: '/reports/{name}', + validate: { + params: schema.object({ + name: ReportFilenameValidation, + }), + }, + }, + (context, request, response) => + ctrl.deleteReportByName(context, request, response), + ); // Fetch the reports list - router.get({ - path: '/reports', - validate: false - }, - (context, request, response) => ctrl.getReports(context, request, response) + router.get( + { + path: '/reports', + validate: false, + }, + (context, request, response) => ctrl.getReports(context, request, response), ); } diff --git a/plugins/wazuh-core/common/constants.ts b/plugins/wazuh-core/common/constants.ts index 604ab8db86..3b51f2e9bf 100644 --- a/plugins/wazuh-core/common/constants.ts +++ b/plugins/wazuh-core/common/constants.ts @@ -82,11 +82,11 @@ export const WAZUH_SAMPLE_ALERTS_CATEGORIES_TYPE_ALERTS = { { audit: true }, { openscap: true }, { ciscat: true }, + { virustotal: true }, { yara: true }, ], [WAZUH_SAMPLE_ALERTS_CATEGORY_THREAT_DETECTION]: [ { vulnerabilities: true }, - { virustotal: true }, { osquery: true }, { docker: true }, { mitre: true }, diff --git a/scripts/wazuh-alerts-generator/cli.js b/scripts/wazuh-alerts-generator/cli.js index 960cb418df..bb76d94843 100644 --- a/scripts/wazuh-alerts-generator/cli.js +++ b/scripts/wazuh-alerts-generator/cli.js @@ -107,14 +107,15 @@ 'web', 'windows', ], - 'auditing-policy-monitoring': ['audit', 'ciscat', 'openscap', 'rootcheck'], - 'thread-detection': [ - 'docker', - 'mitre', - 'osquery', + 'auditing-policy-monitoring': [ + 'audit', + 'ciscat', + 'openscap', + 'rootcheck', 'virustotal', - 'vulnerabilities', + 'yara', ], + 'thread-detection': ['docker', 'mitre', 'osquery', 'vulnerabilities'], }; function displayHelp() {