Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Stateless Messages to Inventory Module Indicating Detected Deltas #437

Closed
4 tasks done
Tracked by #241
vikman90 opened this issue Dec 17, 2024 · 6 comments · Fixed by #454
Closed
4 tasks done
Tracked by #241

Add Stateless Messages to Inventory Module Indicating Detected Deltas #437

vikman90 opened this issue Dec 17, 2024 · 6 comments · Fixed by #454
Assignees
@ncvicchi @nbertoldo
Labels
level/task Task issue module/inventory Inventory module mvp Minimum Viable Product refinement type/enhancement Enhancement issue
Milestone
MVP Agent refinement

Comments

@vikman90
Copy link
Member

vikman90 commented Dec 17, 2024
edited by cborla
Loading

Description

The Inventory module must produce a stateless message containing the deltas (changes) detected during an inventory scan. These messages will accompany the stateful messages, ensuring that both event types provide relevant information about detected changes.

Requirements

  1. Stateless Message Generation
    • The Inventory module must generate a stateless message when a delta (change) is detected.
    • Stateless messages should only be produced after the initial scan has completed.
    • These messages must be generated alongside the stateful messages.
  2. ECS Compliance
    • Both stateless and stateful messages must conform to the ECS (Elastic Common Schema) format.
  3. Delta Representation
    • Stateless messages should clearly indicate the delta or change detected during the scan process.

Acceptance Criteria

  • Stateless messages are generated when changes are detected, excluding the initial scan.
  • Stateless messages accompany the corresponding stateful messages.
  • Messages follow ECS standards.
  • Deltas are accurately represented in the stateless message.
@vikman90 vikman90 added level/task Task issue module/inventory Inventory module mvp Minimum Viable Product refinement type/enhancement Enhancement issue labels Dec 17, 2024
@vikman90 vikman90 mentioned this issue Dec 17, 2024
Closed
53 tasks
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 5.0.0 Dec 17, 2024
@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 5.0.0 Dec 17, 2024
@ncvicchi ncvicchi mentioned this issue Dec 19, 2024
Merged
@cborla cborla linked a pull request Jan 3, 2025 that will close this issue
Add Stateless Messages to Inventory Module Indicating Detected Deltas #454
Merged
@cborla
Copy link
Member

cborla commented Jan 3, 2025
edited
Loading

Work update

2025/01/03

  • Rebased the branch to master.
  • Code review.
  • E2E testing.

2025/01/08

  • Unit test fixed.
  • Analyzing the new message structure similar to FIM.

2025/01/10

  • Stateless event section construction.
    • Hardware
    • Ports
    • Packages
    • Include state differences in the json
  • First Scan code analysis.

2025/01/13

  • Added previous value structrue.
  • Working on prepara stataless json objet to send.

2025/01/15

  • Stateless messages complete
  • Ut fixed.
  • E2E testing.

@ncvicchi
Copy link
Contributor

2025/01/09

  • Implemented first scan detection logic
  • Implemented writemetadata, readmetada and deletemetada functions
  • Performed logic behaviour tests with several scenarios

@ncvicchi
Copy link
Contributor

Database first scan flags reflection in metadata table:

All options enabled:

Key Value
hardware-first-scan 2025-01-10T15:40:56.879Z
hotfixes-first-scan 2025-01-10T15:41:02.217Z
networks-first-scan 2025-01-10T15:41:02.394Z
packages-first-scan 2025-01-10T15:41:01.051Z
ports-first-scan 2025-01-10T15:41:02.378Z
processes-first-scan 2025-01-10T15:41:02.217Z
system-first-scan 2025-01-10T15:40:56.883Z

networks and packages disabled

Key Value
hardware-first-scan 2025-01-10T15:40:56.879Z
hotfixes-first-scan 2025-01-10T15:41:02.217Z
ports-first-scan 2025-01-10T15:41:02.378Z
processes-first-scan 2025-01-10T15:41:02.217Z
system-first-scan 2025-01-10T15:40:56.883Z

Intentory module disabled

Key Value

Inventory module reenabled:

Key Value
hardware-first-scan 2025-01-10T15:47:42.625Z
hotfixes-first-scan 2025-01-10T15:47:43.829Z
ports-first-scan 2025-01-10T15:47:44.141Z
processes-first-scan 2025-01-10T15:47:43.829Z
system-first-scan 2025-01-10T15:47:42.628Z

networks y packages reenabled:

Key Value
hardware-first-scan 2025-01-10T15:47:42.625Z
hotfixes-first-scan 2025-01-10T15:47:43.829Z
networks-first-scan 2025-01-10T15:49:08.714Z
packages-first-scan 2025-01-10T15:49:07.622Z
ports-first-scan 2025-01-10T15:47:44.141Z
processes-first-scan 2025-01-10T15:47:43.829Z
system-first-scan 2025-01-10T15:47:42.628Z

@nbertoldo nbertoldo self-assigned this Jan 13, 2025
@nbertoldo
Copy link
Member

nbertoldo commented Jan 13, 2025
edited
Loading

Work update

2025/01/13

  • Enable return_old_data option to add previous data in the inventory delta events.
  • We should avoid storing null fields in the dbsync database, since every scan reports a change. This is because when reading the table it gets “” instead of null.

2025/01/14

  • Remove false deltas caused by storing null values in the inventory tables.
  • Fix unit tests.
  • Analysis of how to update metadata table without starting the whole inventory module.

2025/01/15

  • Refactoring to allow cleaning of the metadata table when the inventory module is disables without starting the whole module.

2025/01/16

  • Modified dbsync sqlite wrapper to allow storing null values in table fields.

2025/01/17

  • Fixed dbengine UTs.
  • Fixed packages stateless events.
  • Tests E2E.

@vikman90 vikman90 added this to the MVP Agent refinement (I) milestone Jan 15, 2025
@wazuhci wazuhci moved this from In progress to In review in XDR+SIEM/Release 5.0.0 Jan 16, 2025
@nbertoldo
Copy link
Member

E2E Test Stateful Events

Hardware 
{
  "_index": "wazuh-states-inventory-hardware",
  "_id": "390c253daf42673a999eb0727e3dfc384da2ec64",
  "_version": 3,
  "_score": null,
  "_source": {
    "agent": {
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-17T17:46:48.960Z",
    "host": {
      "cpu": {
        "cores": 8,
        "name": "AMD Ryzen 7 5800X 8-Core Processor",
        "speed": 3800
      },
      "memory": {
        "free": 8124296,
        "total": 12247076,
        "used": {
          "percentage": 34
        }
      }
    },
    "observer": {
      "serial_number": "0"
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-17T17:46:48.960Z"
    ]
  },
  "sort": [
    1737136008960
  ]
}
System 
{
  "_index": "wazuh-states-inventory-system",
  "_id": "61cefd485dfc039f9ed7b2cc875a9e3c60d2355f",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-17T17:42:42.745Z",
    "host": {
      "architecture": "x86_64",
      "hostname": "noble",
      "os": {
        "full": "noble",
        "kernel": null,
        "name": "Ubuntu",
        "platform": "ubuntu",
        "type": "Linux",
        "version": "24.04.1 LTS (Noble Numbat)"
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-17T17:42:42.745Z"
    ]
  },
  "sort": [
    1737135762745
  ]
}
Packages 
{
  "_index": "wazuh-states-inventory-packages",
  "_id": "a9b72cae89623be4614c7715f11004afa3701ba4",
  "_version": 4,
  "_score": null,
  "_source": {
    "agent": {
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-17T17:49:50.252Z",
    "package": {
      "architecture": "all",
      "description": "grep-like program specifically for large source trees",
      "installed": null,
      "name": "ack",
      "path": "",
      "size": 229376,
      "type": "deb",
      "version": "3.7.0-1"
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-17T17:49:50.252Z"
    ]
  },
  "sort": [
    1737136190252
  ]
}
Processes 
{
  "_index": "wazuh-states-inventory-processes",
  "_id": "ecec94170c330df5df519cdb270b103cc4f962f0",
  "_version": 3,
  "_score": null,
  "_source": {
    "agent": {
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-17T17:52:51.665Z",
    "process": {
      "args": null,
      "command_line": null,
      "group": {
        "id": "root"
      },
      "name": "rcu_preempt",
      "parent": {
        "pid": 2
      },
      "pid": "17",
      "real_group": {
        "id": "root"
      },
      "real_user": {
        "id": "root"
      },
      "saved_group": {
        "id": "root"
      },
      "saved_user": {
        "id": "root"
      },
      "start": 1737125336,
      "thread": {
        "id": 17
      },
      "tty": {
        "char_device": {
          "major": 0
        }
      },
      "user": {
        "id": "root"
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-17T17:52:51.665Z"
    ],
    "process.start": [
      "1970-01-21T02:32:05.336Z"
    ]
  },
  "sort": [
    1737136371665
  ]
}
Networks 
{
  "_index": "wazuh-states-inventory-networks",
  "_id": "3d2d17f57ced6ce3d5892d46c4df2f491f27da52",
  "_version": 5,
  "_score": null,
  "_source": {
    "agent": {
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-17T17:52:51.665Z",
    "host": {
      "ip": [
        "10.0.2.15"
      ],
      "mac": "08:00:27:64:e1:ff",
      "network": {
        "egress": {
          "bytes": 9615193,
          "drops": 0,
          "errors": 0,
          "packets": 41339
        },
        "ingress": {
          "bytes": 192404085,
          "drops": 0,
          "errors": 0,
          "packets": 153501
        }
      }
    },
    "interface": {
      "mtu": 1500,
      "state": "up",
      "type": "ethernet"
    },
    "network": {
      "broadcast": [
        "10.0.2.255"
      ],
      "dhcp": null,
      "gateway": [
        "10.0.2.2"
      ],
      "metric": "100",
      "netmask": [
        "255.255.255.0"
      ],
      "protocol": null,
      "type": "ipv4"
    },
    "observer": {
      "ingress": {
        "interface": {
          "alias": "",
          "name": "eth0"
        }
      }
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-17T17:52:51.665Z"
    ]
  },
  "sort": [
    1737136371665
  ]
}
Ports 
{
  "_index": "wazuh-states-inventory-ports",
  "_id": "0102439a966b9bcc7bb88daaa12c42320390ebb2",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "groups": [],
      "type": "Endpoint",
      "version": "5.0.0",
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      }
    },
    "@timestamp": "2025-01-17T17:52:51.665Z",
    "destination": {
      "ip": [
        "192.168.56.125"
      ],
      "port": 27000
    },
    "file": {
      "inode": 192151
    },
    "host": {
      "network": {
        "egress": {
          "queue": 0
        },
        "ingress": {
          "queue": 510
        }
      }
    },
    "interface": {
      "state": "established"
    },
    "network": {
      "protocol": "tcp"
    },
    "process": {
      "name": "wazuh-agent",
      "pid": 42289
    },
    "source": {
      "ip": [
        "192.168.56.132"
      ],
      "port": 45792
    }
  },
  "fields": {
    "@timestamp": [
      "2025-01-17T17:52:51.665Z"
    ]
  },
  "sort": [
    1737136371665
  ]
}

@nbertoldo
Copy link
Member

E2E Test Stateless Events

Hardware 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "AKtZdZQBLzTJpoVmulSC",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "hardware-detected",
      "category": [
        "host"
      ],
      "created": "2025-01-17T17:39:43.299Z",
      "reason": "New hardware detected: AMD Ryzen 7 5800X 8-Core Processor with 11 GB memory",
      "type": [
        "start"
      ]
    },
    "host": {
      "cpu": {
        "cores": 8,
        "name": "AMD Ryzen 7 5800X 8-Core Processor",
        "speed": 3800
      },
      "memory": {
        "free": 8120800,
        "total": 12247076,
        "used": {
          "percentage": 34
        }
      }
    },
    "observer": {
      "serial_number": "0"
    }
  },
  "fields": {
    "event.created": [
      "2025-01-17T17:39:43.299Z"
    ]
  }
}
System 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "QqtcdZQBLzTJpoVmVlYw",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "system-detected",
      "category": [
        "host"
      ],
      "created": "2025-01-17T17:42:42.745Z",
      "reason": "System noble is running OS version 24.04.1 LTS (Noble Numbat)",
      "type": [
        "info"
      ]
    },
    "host": {
      "architecture": "x86_64",
      "hostname": "noble",
      "os": {
        "full": "noble",
        "kernel": null,
        "name": "Ubuntu",
        "platform": "ubuntu",
        "type": "Linux",
        "version": "24.04.1 LTS (Noble Numbat)"
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-17T17:42:42.745Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@system-detected@/opensearch-dashboards-highlighted-field@"
    ]
  }
}
Packages 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "P6tcdZQBLzTJpoVmd1rg",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "package-installed",
      "category": [
        "package"
      ],
      "created": "2025-01-17T17:42:42.745Z",
      "reason": "Package Pygments (version 2.17.2) was installed",
      "type": [
        "installation"
      ]
    },
    "package": {
      "architecture": "",
      "description": null,
      "installed": null,
      "name": "Pygments",
      "path": "/usr/lib/python3/dist-packages/pygments-2.17.2.dist-info/METADATA",
      "size": null,
      "type": "pypi",
      "version": "2.17.2"
    }
  },
  "fields": {
    "event.created": [
      "2025-01-17T17:42:42.745Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@package-installed@/opensearch-dashboards-highlighted-field@"
    ]
  }
}
Processes 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "GatZdZQBLzTJpoVmulWC",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "process-started",
      "category": [
        "process"
      ],
      "created": "2025-01-17T17:39:43.299Z",
      "reason": "Process kworker/3:1-eve (PID: kworker/3:1-eve) was started",
      "type": [
        "start"
      ]
    },
    "process": {
      "args": null,
      "command_line": null,
      "group": {
        "id": "root"
      },
      "name": "kworker/3:1-eve",
      "parent": {
        "pid": 2
      },
      "pid": "41984",
      "real_group": {
        "id": "root"
      },
      "real_user": {
        "id": "root"
      },
      "saved_group": {
        "id": "root"
      },
      "saved_user": {
        "id": "root"
      },
      "start": 1737135040,
      "thread": {
        "id": 41984
      },
      "tty": {
        "char_device": {
          "major": 0
        }
      },
      "user": {
        "id": "root"
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-17T17:39:43.299Z"
    ],
    "process.start": [
      "1970-01-21T02:32:15.040Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@process-started@/opensearch-dashboards-highlighted-field@"
    ]
  }
}
Networks 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "M6tZdZQBLzTJpoVmulWC",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "event": {
      "action": "network-interface-updated",
      "category": [
        "network"
      ],
      "changed_fields": [
        "host.network.ingress.bytes",
        "host.network.ingress.packets",
        "host.network.egress.bytes",
        "host.network.egress.packets"
      ],
      "created": "2025-01-17T17:39:43.299Z",
      "reason": "Network interface eth0 updated",
      "type": [
        "change"
      ]
    },
    "host": {
      "ip": [
        "10.0.2.15"
      ],
      "mac": "08:00:27:64:e1:ff",
      "network": {
        "egress": {
          "bytes": 9507634,
          "drops": 0,
          "errors": 0,
          "packets": 40761,
          "previous": {
            "bytes": 9183172,
            "packets": 39051
          }
        },
        "ingress": {
          "bytes": 192028953,
          "drops": 0,
          "errors": 0,
          "packets": 152720,
          "previous": {
            "bytes": 191335102,
            "packets": 150235
          }
        }
      }
    },
    "interface": {
      "mtu": 1500,
      "state": "up",
      "type": "ethernet"
    },
    "network": {
      "broadcast": [
        "10.0.2.255"
      ],
      "dhcp": null,
      "gateway": [
        "10.0.2.2"
      ],
      "metric": "100",
      "netmask": [
        "255.255.255.0"
      ],
      "protocol": null,
      "type": "ipv4"
    },
    "observer": {
      "ingress": {
        "interface": {
          "alias": "",
          "name": "eth0"
        }
      }
    }
  },
  "fields": {
    "event.created": [
      "2025-01-17T17:39:43.299Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@network-interface-updated@/opensearch-dashboards-highlighted-field@"
    ]
  }
}
Ports 
{
  "_index": "wazuh-alerts-5.x-0001",
  "_id": "I6tZdZQBLzTJpoVmulWC",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "groups": [],
      "host": {
        "architecture": "x86_64",
        "hostname": "noble",
        "ip": [
          "10.0.2.15",
          "fe80::a00:27ff:fe64:e1ff",
          "192.168.56.132",
          "fe80::a00:27ff:fecb:7200"
        ],
        "os": {
          "name": "Ubuntu",
          "type": "Linux",
          "version": "24.04.1 LTS (Noble Numbat)"
        }
      },
      "id": "26353180-0a76-48b5-bc8b-9d317f1ed07b",
      "name": "noble",
      "type": "Endpoint",
      "version": "5.0.0"
    },
    "destination": {
      "ip": [
        "0.0.0.0"
      ],
      "port": 0
    },
    "event": {
      "action": "port-updated",
      "category": [
        "network"
      ],
      "changed_fields": [
        "process.name",
        "process.pid"
      ],
      "created": "2025-01-17T17:39:43.299Z",
      "reason": "Updated connection from source port 53 to destination port 0",
      "type": [
        "change"
      ]
    },
    "file": {
      "inode": 11300
    },
    "host": {
      "network": {
        "egress": {
          "queue": 0
        },
        "ingress": {
          "queue": 0
        }
      }
    },
    "interface": {
      "state": null
    },
    "network": {
      "protocol": "udp"
    },
    "process": {
      "name": "systemd-resolve",
      "pid": 706,
      "previous": {
        "name": null,
        "pid": null
      }
    },
    "source": {
      "ip": [
        "127.0.0.54"
      ],
      "port": 53
    }
  },
  "fields": {
    "event.created": [
      "2025-01-17T17:39:43.299Z"
    ]
  },
  "highlight": {
    "event.action": [
      "@opensearch-dashboards-highlighted-field@port-updated@/opensearch-dashboards-highlighted-field@"
    ]
  }
}

@wazuhci wazuhci moved this from In review to Done in XDR+SIEM/Release 5.0.0 Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ncvicchi ncvicchi

@nbertoldo nbertoldo

Labels
level/task Task issue module/inventory Inventory module mvp Minimum Viable Product refinement type/enhancement Enhancement issue
Projects
XDR+SIEM/Release 5.0.0
Status: Done
Milestone
MVP Agent refinement
Development

Successfully merging a pull request may close this issue.

Add Stateless Messages to Inventory Module Indicating Detected Deltas wazuh/wazuh-agent
4 participants
@vikman90 @cborla @ncvicchi @nbertoldo