Add sample data to dashboards

[juankaromo]

Hi team,

We need to add to Elasticsearch sample data and alerts to feed the Wazuh App dashboards so that users can see a real example of the views provided in that panel.

To do this, we will add a new section to the new visualize menu to add sample data, similar to the one Kibana has:

We can diversify the creation of this example data into sections. For example, create example data for 'THREAT DETECTION AND RESPONSE' or data for 'REGULATORY COMPLIANCE'.

This data will be inserted into a new wazuh-sample-data index so that it does not get mixed up with the actual alerts and can be removed when the user wishes.

• Create new section to add sample data @victorst79
• Create a method to generate fake alerts of every module @jesusrodriguezl @Joanes04 @victorst79 @Desvelao
• Index this alerts in the new index @Desvelao

Regards.

[victorst79]

Sample data reference:

[Desvelao]

Add modules data

Notes:
Alerts are generated with a script in the app backend.
For each sample data category an index is created with shards/replicas as configurated in wazuh.yml. This index has as name <index_pattern_without_*>-sample-<category>. For example, wazuh-alerts-3.x--sample-security.
In each dashboard, it will show a callout to warn that there is sample data installed.

Backend changes:
4 app server endpoints added:

• GET /elastic/samplealerts/{pattern} - check if there is sample data installed.
• GET /elastic/samplealerts/{pattern}/{category} - check if there is sample data installed for a category.
• POST /elastic/samplealerts/{pattern}/{category} - add sample data for that category.
• DELETE /elastic/samplealerts/{pattern}/{category} - remove sample data (index) for that category.

Other changes:

• Added Redux action and reducer variable currentPattern in appStateReducers needed it to send sample data request with the current index pattern selected, for create/update/check existence of sample data indices.

Preview

Adding/removing data

Sample data callout in modules

More screenshots

[Desvelao]

Problems:

• There is some problem with dashboard stats for the modules when use the new menu to go to a module. If this, is accessed from Overview (where modules cards) or some other app section, it seems that module stats are loaded and show correctly.
• VirusTotal heatmap visualization shows a rare error
  

TODO

• Fix creation of new indices for sample data with wazuh-alerts-3.x-* prefix.
• Manage sample data (add/delete) only avaliable for admin
• Remove Regulatory Compliance category
• fix CIS-CAT stats

Think about

• Does sample data need real agents?

[Desvelao]

Files:
script: server/lib/generate-alerts/generate-alerts-script.js
modules sample data: server/lib/generate-alerts/sample-data

We need to generate sample data for:

• Authentication @Desvelao
• SSH @Desvelao
• AWS @Desvelao
• Integrity monitoring @victorst79
• Policy monitoring @Desvelao
• System Auditing @Joanes04
• OpenSCAP @Desvelao
• CIS-CAT @Joanes04
• Vulnerabilities @Joanes04
• VirusTotal @Joanes04
• Osquery @Joanes04
• Docker listener @Joanes04
• Windows
• Firewall
• Apache @Desvelao
• Web @Desvelao

[Desvelao]

Admin mode

Management of sample data is only avaliable when is admin mode.

Changes:

• Sample data link appears in Management section of Wazuh menu when admin mode is enabled
  

• Sample data card in Management welcome
  

• Wazuh visualize callout
  

• If try to enter to sample data section in no admin mode, buttons are disabled and the app redirects to app root path.

Update 2020/04/09
Now adminMode for sample data links/components is managed with Redux store. This prevents blinkins in sample data related components when checks admin mode with a request to app backend.
adminMode in Redux is updated:

• when app start
• each time access to a component what requires adminMode (does a request to app backend to check if adminMode has been changed in wazuh.yml)