Fix Alerts Summary table truncated results #5131
Conversation
There was a problem hiding this comment.
Security Information Management
| Module | With pinned agent | Without agent |
|---|---|---|
| Security events | 🟢 | 🟢 |
| Integrity monitoring | 🟢 | 🟢 |
| Office 365 | ⚫ | 🟢 |
| Amazon AWS | 🟢 | 🟢 |
| Google Cloud Platform | 🟢 | 🟢 |
| GitHub | 🟢 | 🟢 |
Auditing and Policy Monitoring
| Module | With pinned agent | Without agent |
|---|---|---|
| Policy monitoring | 🟢 | 🟢 |
| Security configuration assessment | ⚫ | ⚫ |
| System auditing | 🟢 | 🟢 |
| OpenSCAP | 🟢 | 🟢 |
| CIS-CAT | 🟢 | 🟢 |
Threat Detection and Response
| Module | With pinned agent | Without agent |
|---|---|---|
| Vulnerabilities | ⚫ | ⚫ |
| MITRE ATT&CK | ⚫ | ⚫ |
| VirusTotal | ⚫ | ⚫ |
| Osquery | ⚫ | ⚫ |
| Docker listener | ⚫ | ⚫ |
Regulatory Compliance
| Module | With pinned agent | Without agent |
|---|---|---|
| PCI DSS | ⚫ | ⚫ |
| NIST 800-53 | ⚫ | ⚫ |
| GDPR | ⚫ | ⚫ |
| HIPAA | ⚫ | ⚫ |
| TSC | ⚫ | ⚫ |
Security Information Management
Auditing and Policy Monitoring
Threat Detection and Response
Regulatory Compliance
|
ImportantI found out that the filters applied to the PDF report tables are not including the Allowed Agents applied to the visualizations
Segregation of the Allowed Agents filter in the server-side controller
Final query filters
This mus be fixed in this PR |
Added allowed_agents filter to the following server-side queriesAudit requests:
GDPR requests:
Overview requests:
PCI requests:
Rootcheck requests:
Alerts Summary tables:
Syscheck requests:
TSC requests:
Vulnerability requests:
These requests need to be included in the tests, with the |
|
Tests
|
|
I was researching the problem with the tests. There are some tests failing that are related to the checking the md5 of PDF reports. I think the problem is the note for the allowed agents is added when is not the use case: @asteriscos, could you review it? EDIT: I think there is a problem with this conditional: https://github.com/wazuh/wazuh-kibana-app/pull/5131/files#diff-e344f646f1844581c2ba5159d750a8f075c476e56350e3bcc6018f87136dd973R344-R346. It is always truthy and the allowed note is added to the PDF module report. |
|
Tests
🔴 TSCWhen an agent is pinned, it works as expected and in EvidenceAgents
Without pinned agents, 9 pages and only showing agent 002 (4.4-2)
With agent 001 pinned, 9 pages and only showing agent 001 (4.4-3)
With agent 002 pinned, 9 pages and only showing agent 002 (4.4-2)
With agent 003 pinned , 9 pages and only showing agent 003 (4.4)
|
I think that problem is related to the following issue: #5134 |
|
There was a problem hiding this comment.
review:
code 🟢
test 🟢
I checked when the allowed agents should appear and it is working as expected. I verified the next cases:
| case | result |
|---|---|
| With pinned agent | 🟢 |
| Without pinned agent | 🟢 |
| With pinned agent and allowed agents | 🟢 |
| Without pinned agent and allowed agents | 🟢 |
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-4.4-7.16 4.4-7.16
# Navigate to the new working tree
cd .worktrees/backport-4.4-7.16
# Create a new branch
git switch --create backport-5131-to-4.4-7.16
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c54058037361a724126d6bf8b7a6f6254e0a6670
# Push it to GitHub
git push --set-upstream origin backport-5131-to-4.4-7.16
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-4.4-7.16Then, create a pull request where the |
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-4.4-7.10 4.4-7.10
# Navigate to the new working tree
cd .worktrees/backport-4.4-7.10
# Create a new branch
git switch --create backport-5131-to-4.4-7.10
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c54058037361a724126d6bf8b7a6f6254e0a6670
# Push it to GitHub
git push --set-upstream origin backport-5131-to-4.4-7.10
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-4.4-7.10Then, create a pull request where the |
* Fix query result parsing algorithm * Added changelog * Add allowed_agents filter to the report queries * Fix agentsFilter conditional Co-authored-by: Antonio <34042064+Desvelao@users.noreply.github.com> (cherry picked from commit c540580)
* Fix query result parsing algorithm * Added changelog * Add allowed_agents filter to the report queries * Fix agentsFilter conditional Co-authored-by: Antonio <34042064+Desvelao@users.noreply.github.com> (cherry picked from commit c540580)
Fix Alerts Summary table truncated results (#5131) * Fix query result parsing algorithm * Added changelog * Add allowed_agents filter to the report queries * Fix agentsFilter conditional Co-authored-by: Antonio <34042064+Desvelao@users.noreply.github.com> (cherry picked from commit c540580) Co-authored-by: Federico Rodriguez <federico.rodriguez@wazuh.com>
Fix Alerts Summary table truncated results (#5131) * Fix query result parsing algorithm * Added changelog * Add allowed_agents filter to the report queries * Fix agentsFilter conditional Co-authored-by: Antonio <34042064+Desvelao@users.noreply.github.com> (cherry picked from commit c540580) Co-authored-by: Federico Rodriguez <federico.rodriguez@wazuh.com>
Description
Team,
this PR fixes the query result of the PDF report Alerts Summary Table to avoid truncating the number of rows. The parsing algorithm wasn't iterating all the bucket combinations, therefore it returned only the first combination of buckets. Now it iterates al possible combinations of the aggregation buckets and returns all possible results.
Note: We also found server-side functions truncate and sort indexer queries. The issue is described in the issue #5134
Issues Resolved
Closes #5130
Evidence
Test
Check allowed Agents
Security Information Management
Auditing and Policy Monitoring
Threat Detection and Response
Regulatory Compliance
Check List
yarn test:jest