Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloud integration modules tier 1 #579

Open
davidjiglesias opened this issue Feb 6, 2025 · 1 comment
Open

Cloud integration modules tier 1 #579

davidjiglesias opened this issue Feb 6, 2025 · 1 comment
Labels
level/objective Objective issue type/enhancement Enhancement issue

Comments

@davidjiglesias
Copy link
Member

davidjiglesias commented Feb 6, 2025
edited by vikman90
Loading

Description

This objective aims to migrate 4.X Cloud integration modules to Wazuh agent 5.0, focusing on maintaining the functionality and integrating it with the new agent modules.

Functional requirements

  • The list of modules to migrate is the following:
    • GitHub
    • Microsoft Graph
    • Office 365
  • Module functionality must remain the same as in 4.X, we should only refactor the minimum necessary to allow the modules to integrate its IO with 5.0 agent.
  • The configuration should be adapted to the new yml format and revisited for clarity. Only renaming is allowed.

Non-functional requirements

  • The modules performance must remain the same or better as in 4.X.
  • We cannot add nor change libraries, dependencies or frameworks.

Implementation restrictions

  • The modules must use the same technology.

Testing

  • The migration must include unit tests.

Documentation

  • The modules must include technical documentation adapted to 5.0 standards.

Future developments

  • AWS
  • GCP

Plan

Spike

The spike phase focuses on creating generic agent modules to facilitate code reuse and ensure compatibility with Wazuh Agent 5.0. The tasks are as follows:

  1. Develop a generic agent module for HTTPS requests:
    • Implement the module in C++ using coroutines.
    • Perform HTTPS requests and handle responses.
    • Enqueue the result as a stateless message.
  2. Design the architecture of the modules:
    • Define class methods and configuration structures.
    • Ensure the design supports flexibility for integration with specific modules.

Development

In the development phase, we will build specific modules for each cloud integration, leveraging the generic modules and adapting configurations accordingly. The tasks for each module are as follows:

  1. Develop GitHub module:
    • Write the configuration parser.
    • Extend the generic module with GitHub API-specific functionalities.
    • Implement necessary unit tests.
    • Document the module following Wazuh 5.0 standards.
  2. Develop Microsoft Graph (MS-Graph) module:
    • Write the configuration parser.
    • Extend the generic module with Microsoft Graph API-specific functionalities.
    • Implement necessary unit tests.
    • Document the module following Wazuh 5.0 standards.
  3. Develop Office 365 module:
    • Write the configuration parser.
    • Extend the generic module with Office 365 API-specific functionalities.
    • Implement necessary unit tests.
    • Document the module following Wazuh 5.0 standards.
@davidjiglesias davidjiglesias added level/objective Objective issue type/enhancement Enhancement issue labels Feb 6, 2025
@wazuhci wazuhci added this to Roadmap Feb 6, 2025
@wazuhci wazuhci moved this to Draft in Roadmap Feb 6, 2025
@wazuhci wazuhci moved this to Blocked in XDR+SIEM/Release 5.0.0 Feb 6, 2025
@vikman90
Copy link
Member

Configuration proposal

This is a proposal to be discussed. Please be consistent with the names and maintain a convention, both in these modules and with existing ones.

GitHub

github:
  enabled: true
  interval: 1m
  time_delay: 1m
  max_payload_size: 1M                                # coming from <curl_max_size>
  enable_bookmark: true                               # coming from <only_future_events>, please think the same for Logcollector
  api_auth:
    - org_name: dummy1
      token: ghp_oiasd6efbvptrfdua8fyepnfdc78ewf324jg # coming from <api_token>
    - org_name: dummy2
      token: ghp_oiasd6efbvptrfdua8fyepnfdc78ewf324jg
  api_parameters:
    event_type: git

MS-Graph

ms_graph:
  enabled: true
  enable_bookmark: true           # coming from <only_future_events>, please think the same for Logcollector
  max_payload_size: 10M           # coming from <curl_max_size>, please use the same in GitHub
  run_on_start: true
  interval: 5m
  version: v1.0
  api_auth:
    - client_id: your_client_id
      tenant_id: your_tenant_id
      secret: your_secret_value   # coming from <secret_value>
      api_type: global
    - client_id: your_client_id_2
      tenant_id: your_tenant_id_2
      secret: your_secret_value_2 # coming from <secret_value>
      api_type: gcc-high
  resources:
    - name: security
      relationships:
        - alerts_v2
        - incidents
    - name: auditLogs
      relationships:
        - signIns
    - name: deviceManagement
      relationships:
        - auditEvents

Office365

office365:
  enabled: true
  interval: 1m
  max_payload_size: 1M            # coming from <curl_max_size>, please use the same in the rest
  enable_bookmark: true           # coming from <only_future_events>, please think the same for Logcollector
  api_auth:
    - client_id: your_client_id
      tenant_id: your_tenant_id
      secret: your_secret_value   # coming from <client_secret>
      api_type: global
    - client_id: your_client_id_2
      tenant_id: your_tenant_id_2
      secret: your_secret_value_2 # coming from <client_secret>
      api_type: commercial
  subscriptions:
    - Audit.AzureActiveDirectory
    - Audit.General

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
level/objective Objective issue type/enhancement Enhancement issue
Projects
Roadmap
Status: Draft
XDR+SIEM/Release 5.0.0
Status: Blocked
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vikman90 @davidjiglesias