Merge pull request #938 from wazuh/osquery-wodle

Osquery wodle views

config.yml

@@ -44,6 +44,7 @@
 #extensions.ciscat    : false
 #extensions.aws       : false
 #extensions.virustotal: false
+#extensions.osquery   : false
 #
 # ---------------------------------- Time out ----------------------------------
 #

public/controllers/agent/agents.js

@@ -98,7 +98,7 @@ class AgentsController {
     this.tabVisualizations.assign('agents');
 
     this.$scope.hostMonitoringTabs = ['general', 'fim', 'syscollector'];
-    this.$scope.systemAuditTabs = ['pm', 'audit', 'oscap', 'ciscat'];
+    this.$scope.systemAuditTabs = ['pm', 'audit', 'oscap', 'ciscat', 'osquery'];
     this.$scope.securityTabs = ['vuls', 'virustotal'];
     this.$scope.complianceTabs = ['pci', 'gdpr'];
 

public/controllers/overview/index.js

@@ -21,7 +21,8 @@ import {
   metricsVulnerability,
   metricsScap,
   metricsCiscat,
-  metricsVirustotal
+  metricsVirustotal,
+  metricsOsquery
 } from '../../utils/overview-metrics';
 
 import { queryConfig } from '../../services/query-config';
@@ -68,7 +69,7 @@ app.controller('overviewController', function(
   tabVisualizations.assign('overview');
 
   $scope.hostMonitoringTabs = ['general', 'fim', 'aws'];
-  $scope.systemAuditTabs = ['pm', 'audit', 'oscap', 'ciscat'];
+  $scope.systemAuditTabs = ['pm', 'audit', 'oscap', 'ciscat', 'osquery'];
   $scope.securityTabs = ['vuls', 'virustotal'];
   $scope.complianceTabs = ['pci', 'gdpr'];
 
@@ -102,6 +103,9 @@ app.controller('overviewController', function(
         case 'virustotal':
           createMetrics(metricsVirustotal);
           break;
+        case 'osquery':
+          createMetrics(metricsOsquery);
+          break;
       }
     }
   };
@@ -257,10 +261,6 @@ app.controller('overviewController', function(
 
       $scope.wzMonitoringEnabled = !!configuration['wazuh.monitoring.enabled'];
 
-      if (!$scope.wzMonitoringEnabled) {
-        await getSummary();
-      }
-
       return;
     } catch (error) {
       $scope.wzMonitoringEnabled = true;
@@ -274,9 +274,7 @@ app.controller('overviewController', function(
 
       $scope.switchTab($scope.tab, true);
 
-      if ($scope.tab && $scope.tab === 'welcome') {
-        await getSummary();
-      }
+      await getSummary();
 
       if (!$scope.$$phase) $scope.$digest();
 

public/controllers/settings/index.js

@@ -288,6 +288,7 @@ app.controller('settingsController', function(
       tmpData.extensions.ciscat = config['extensions.ciscat'];
       tmpData.extensions.aws = config['extensions.aws'];
       tmpData.extensions.virustotal = config['extensions.virustotal'];
+      tmpData.extensions.osquery = config['extensions.osquery'];
 
       const checkData = await testAPI.check(tmpData);
 
@@ -573,6 +574,7 @@ app.controller('settingsController', function(
         $scope.extensions.ciscat = config['extensions.ciscat'];
         $scope.extensions.aws = config['extensions.aws'];
         $scope.extensions.virustotal = config['extensions.virustotal'];
+        $scope.extensions.osquery = config['extensions.osquery'];
       } else {
         $scope.extensions = appState.getExtensions(
           JSON.parse(appState.getCurrentAPI()).id

public/factories/tab-visualizations.js

@@ -24,7 +24,8 @@ export class TabVisualizations {
       gdpr: 3,
       pci: 3,
       virustotal: 6,
-      configuration: 0
+      configuration: 0,
+      osquery: 5
     };
 
     this.overview = {
@@ -39,7 +40,8 @@ export class TabVisualizations {
       pci: 6,
       gdpr: 6,
       aws: 6,
-      virustotal: 7
+      virustotal: 7,
+      osquery: 5
     };
 
     this.tabVisualizations = {};

public/services/common-data.js

@@ -98,7 +98,8 @@ export class CommonData {
         pci: { group: 'pci_dss' },
         gdpr: { group: 'gdpr' },
         aws: { group: 'amazon' },
-        virustotal: { group: 'virustotal' }
+        virustotal: { group: 'virustotal' },
+        osquery: { group: 'osquery' }
       };
 
       const filters = [];

public/services/resolves/get-config.js

@@ -25,6 +25,7 @@ export async function getWzConfig($q, genericReq, errorHandler, wazuhConfig) {
     'extensions.ciscat': false,
     'extensions.aws': false,
     'extensions.virustotal': false,
+    'extensions.osquery': false,
     timeout: 8000,
     'wazuh.shards': 1,
     'wazuh.replicas': 1,

public/services/resolves/settings-wizard.js

@@ -122,7 +122,8 @@ export function settingsWizard(
           oscap: config['extensions.oscap'],
           ciscat: config['extensions.ciscat'],
           aws: config['extensions.aws'],
-          virustotal: config['extensions.virustotal']
+          virustotal: config['extensions.virustotal'],
+          osquery: config['extensions.osquery']
         };
         appState.setExtensions(currentApi, extensions);
       }

public/templates/agents/agents-osquery.html

@@ -0,0 +1,46 @@
+<md-content flex layout="column" ng-if="tab === 'osquery' && tabView === 'panels'" ng-class="{'no-opacity': resultState !== 'ready' || !rendered}" layout-align="start">
+    <div layout="row" class="height-300">
+        <md-card flex class="wz-md-card">
+            <md-card-content class="wazuh-column">
+                <span class="wz-headline-title">Most common Osquery packs being used</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <kbn-vis id="Wazuh-App-Agents-Osquery-top-5-packs-being-used" vis-id="'Wazuh-App-Agents-Osquery-top-5-packs-being-used'"></kbn-vis>
+            </md-card-content>
+        </md-card>
+        <md-card flex="70" class="wz-md-card">
+            <md-card-content class="wazuh-column">
+                <span class="wz-headline-title">Evolution of Osquery events per pack over time</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <kbn-vis id="Wazuh-App-Agents-Osquery-events-per-pack-over-time" vis-id="'Wazuh-App-Agents-Osquery-events-per-pack-over-time'"></kbn-vis>
+            </md-card-content>
+        </md-card>
+    </div>
+
+    <div layout="row" class="height-300">
+        <md-card flex class="wz-md-card">
+            <md-card-content class="wazuh-column">
+                <span class="wz-headline-title">Most common Osquery actions</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <kbn-vis id="Wazuh-App-Agents-Osquery-most-common-osquery-actions" vis-id="'Wazuh-App-Agents-Osquery-most-common-osquery-actions'"></kbn-vis>
+            </md-card-content>
+        </md-card>
+
+        <md-card flex="70" class="wz-md-card">
+            <md-card-content class="wazuh-column">
+                <span class="wz-headline-title">Most common rules</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <kbn-vis id="Wazuh-App-Agents-Osquery-monst-common-rules-being-fired" vis-id="'Wazuh-App-Agents-Osquery-monst-common-rules-being-fired'"></kbn-vis>
+            </md-card-content>
+        </md-card>
+    </div>
+
+    <div layout="row" class="height-300">
+        <md-card flex class="wz-md-card">
+            <md-card-content class="wazuh-column">
+                <span class="wz-headline-title">Evolution of Osquery events over time</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <kbn-vis id="Wazuh-App-Agents-Osquery-events-over-time" vis-id="'Wazuh-App-Agents-Osquery-events-over-time'"></kbn-vis>
+            </md-card-content>
+        </md-card>
+    </div>
+</md-content>

public/templates/agents/agents-welcome.html

@@ -122,6 +122,11 @@ <h3 class="euiTitle wzEuiTitle">Auditing and Policy Monitoring</h3>
                             title="'CIS-CAT'" switch-tab="switchTab('ciscat')" current-tab="'ciscat'"
                             description="TabDescription.ciscat.description"
                         ></wz-welcome-card>
+                        <wz-welcome-card
+                            ng-if="extensions.osquery" class="euiFlexItem" logo="'icons/osquery.png'"
+                            title="'Osquery'" switch-tab="switchTab('osquery')" current-tab="'osquery'"
+                            description="TabDescription.osquery.description"
+                        ></wz-welcome-card>
                     </div>
                 </div>
             </div>

public/templates/agents/agents.head

@@ -132,7 +132,7 @@
 
     <!-- System audit navigation bar -->
     <md-nav-bar
-        ng-if="inArray(tab, systemAuditTabs) && (extensions.audit || extensions.oscap || extensions.ciscat)"
+        ng-if="inArray(tab, systemAuditTabs) && (extensions.audit || extensions.oscap || extensions.ciscat || extensions.osquery)"
         class="wz-nav-bar"
         ng-show="tab !== 'welcome'"
         md-selected-nav-item="tab"
@@ -141,7 +141,8 @@
         <md-nav-item ng-show="extensions.audit" class="wz-nav-item" md-nav-click="switchTab('audit')" name="audit">{{ tabNames['audit'] }}</md-nav-item>
         <md-nav-item ng-show="extensions.oscap" class="wz-nav-item" md-nav-click="switchTab('oscap')" name="oscap">{{ tabNames['oscap'] }}</md-nav-item>
         <md-nav-item ng-show="extensions.ciscat" class="wz-nav-item" md-nav-click="switchTab('ciscat')" name="ciscat">{{ tabNames['ciscat'] }}</md-nav-item>
-    </md-nav-bar>
+        <md-nav-item ng-show="extensions.osquery" class="wz-nav-item" md-nav-click="switchTab('osquery')" name="osquery">{{ tabNames['osquery'] }}</md-nav-item>
+      </md-nav-bar>
     <!-- End System audit navigation bar -->
 
     <!-- Security navigation bar -->

public/templates/agents/agents.jade

@@ -11,5 +11,6 @@ include ./agents-pci.html
 include ./agents-gdpr.html
 include ./agents-virustotal.html
 include ./agents-syscollector.html
+include ./agents-osquery.html
 include ../management/configuration/agent-configuration.jade
 include ../footer.foot

public/templates/overview/overview-osquery.html

@@ -0,0 +1,50 @@
+<md-content flex layout="column" ng-if="tab === 'osquery' && tabView === 'panels'" ng-class="{'no-opacity': resultState !== 'ready' || !rendered}" layout-align="start">
+    <div layout="row">
+        <md-card flex class="wz-metric-color wz-md-card">
+            <md-card-content layout="row" class="wz-padding-metric">
+                <div class="wz-text-truncatable" flex>Agents reporting Osquery events: <span class="wz-text-bold" ng-bind="osqueryAgentsReporting()"></span> of <span class="wz-text-bold">{{ agentsCountTotal }}</span></div>
+            </md-card-content>
+        </md-card>
+    </div>
+
+    <div class="wz-no-display">
+        <kbn-vis vis-id="'Wazuh-App-Overview-Osquery-Agents-reporting'"></kbn-vis>
+    </div>
+
+    <div layout="row" class="height-300">
+        <md-card flex class="wz-md-card">
+            <md-card-content class="wazuh-column">
+                <span class="wz-headline-title">Alerts over time</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <kbn-vis id="Wazuh-App-Overview-Osquery-Alerts-over-time" vis-id="'Wazuh-App-Overview-Osquery-Alerts-over-time'"></kbn-vis>
+            </md-card-content>
+        </md-card>
+    </div>
+
+    <div layout="row" class="height-300">
+        <md-card flex="30" class="wz-md-card">
+            <md-card-content class="wazuh-column">
+                <span class="wz-headline-title">Most common packs</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <kbn-vis id="Wazuh-App-Overview-Osquery-Most-common-packs" vis-id="'Wazuh-App-Overview-Osquery-Most-common-packs'"></kbn-vis>
+            </md-card-content>
+        </md-card>
+        <md-card flex class="wz-md-card">
+            <md-card-content class="wazuh-column">
+                <span class="wz-headline-title">Top 5 rules</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <kbn-vis id="Wazuh-App-Overview-Osquery-Top-5-rules" vis-id="'Wazuh-App-Overview-Osquery-Top-5-rules'"></kbn-vis>
+            </md-card-content>
+        </md-card>
+    </div>
+
+    <div layout="row" class="height-300">
+        <md-card flex class="wz-md-card">
+            <md-card-content class="wazuh-column">
+                <span class="wz-headline-title">Alerts evolution - Top 5 agents</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <kbn-vis id="Wazuh-App-Overview-Osquery-Alerts-evolution-Top-5-agents" vis-id="'Wazuh-App-Overview-Osquery-Alerts-evolution-Top-5-agents'"></kbn-vis>
+            </md-card-content>
+        </md-card>
+    </div>
+</md-content>

public/templates/overview/overview-welcome.html

@@ -75,6 +75,11 @@ <h3 class="euiTitle wzEuiTitle">Auditing and Policy Monitoring</h3>
                             title="'CIS-CAT'" switch-tab="switchTab('ciscat')" current-tab="'ciscat'"
                             description="TabDescription.ciscat.description"
                         ></wz-welcome-card>
+                        <wz-welcome-card
+                            ng-if="extensions.osquery" class="euiFlexItem" logo="'icons/osquery.png'"
+                            title="'Osquery'" switch-tab="switchTab('osquery')" current-tab="'osquery'"
+                            description="TabDescription.osquery.description"
+                        ></wz-welcome-card>
                     </div>
                 </div>
             </div>

public/templates/overview/overview.head

@@ -65,7 +65,7 @@
 
     <!-- System audit navigation bar -->
     <md-nav-bar
-        ng-if="inArray(tab, systemAuditTabs) && (extensions.audit || extensions.oscap || extensions.ciscat)"
+        ng-if="inArray(tab, systemAuditTabs) && (extensions.audit || extensions.oscap || extensions.ciscat || extensions.osquery)"
         class="wz-nav-bar"
         ng-show="tab !== 'welcome'"
         md-selected-nav-item="tab"
@@ -74,6 +74,7 @@
         <md-nav-item ng-show="extensions.audit" class="wz-nav-item" md-nav-click="switchTab('audit')" name="audit">{{ tabNames['audit'] }}</md-nav-item>
         <md-nav-item ng-show="extensions.oscap" class="wz-nav-item" md-nav-click="switchTab('oscap')" name="oscap">{{ tabNames['oscap'] }}</md-nav-item>
         <md-nav-item ng-show="extensions.ciscat" class="wz-nav-item" md-nav-click="switchTab('ciscat')" name="ciscat">{{ tabNames['ciscat'] }}</md-nav-item>
+        <md-nav-item ng-show="extensions.osquery" class="wz-nav-item" md-nav-click="switchTab('osquery')" name="osquery">{{ tabNames['osquery'] }}</md-nav-item>
     </md-nav-bar>
     <!-- End System audit navigation bar -->
 

public/templates/overview/overview.jade

@@ -11,4 +11,5 @@ include ./overview-pci.html
 include ./overview-gdpr.html
 include ./overview-aws.html
 include ./overview-virustotal.html
+include ./overview-osquery.html
 include ../footer.foot

public/templates/settings/settings-extensions.html

@@ -114,6 +114,26 @@
             </md-card-actions>
         </md-card>
 
+        <!-- Osquery -->
+        <md-card flex="45" layout="column" class="wz-md-card">
+            <md-card-content flex="auto" layout="column">
+                <span class="wz-headline-title"><i class="fa fa-fw fa-rocket" aria-hidden="true"></i> {{ tabNames['osquery'] }}</span>
+                <md-divider class="wz-margin-top-10"></md-divider>
+                <div layout="column">
+                    <p class="md-body-1 wz-padding-top-10">Osquery can be used to expose an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.</p>
+                </div>
+                <span flex></span>
+                <div layout="row" class="wz-padding-top-10">
+                    <md-switch class="wz-switch" aria-label="Osquery extension switch" ng-model="extensions.osquery" ng-change="toggleExtension('osquery',extensions.osquery)"></md-switch>
+                </div>
+            </md-card-content>
+            <md-card-actions layout="row" layout-align="end center" class="wz-card-actions">
+                <md-button target="_blank" href="https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html" class="wz-text-link cursor-pointer small" aria-label="Osquery integration documentation">
+                    <i class="fa fa-fw fa-info" aria-hidden="true"></i> More info
+                </md-button>
+            </md-card-actions>
+        </md-card>
+
         <!-- Amazon -->
         <md-card flex="45" layout="column" class="wz-md-card">
             <md-card-content flex="auto" layout="column">

public/utils/overview-metrics.js

@@ -69,11 +69,18 @@ const metricsVirustotal = {
   virusTotal: '[vis-id="\'Wazuh-App-Overview-Virustotal-Total\'"]'
 };
 
+// Metrics OSQuery
+const metricsOsquery = {
+  osqueryAgentsReporting:
+    '[vis-id="\'Wazuh-App-Overview-Osquery-Agents-reporting\'"]'
+};
+
 export default {
   metricsGeneral,
   metricsAudit,
   metricsVulnerability,
   metricsScap,
   metricsCiscat,
-  metricsVirustotal
+  metricsVirustotal,
+  metricsOsquery
 };

server/integration-files/known-fields.js

@@ -5143,5 +5143,23 @@ export const knownFields = [
     searchable: true,
     aggregatable: true,
     readFromDocValues: true
+  },
+  {
+    name: 'data.osquery.pack',
+    type: 'string',
+    count: 0,
+    scripted: false,
+    searchable: true,
+    aggregatable: true,
+    readFromDocValues: true
+  },
+  {
+    name: 'data.osquery.action',
+    type: 'string',
+    count: 0,
+    scripted: false,
+    searchable: true,
+    aggregatable: true,
+    readFromDocValues: true
   }
 ];