From c923029c1bc0639205ba80ba2969e00d054bc5c0 Mon Sep 17 00:00:00 2001 From: Federico Rodriguez Date: Mon, 24 Jul 2023 12:52:59 +0200 Subject: [PATCH 1/6] Backport 5714 to 7.16 --- public/react-services/reporting.js | 4 +- server/controllers/wazuh-reporting.ts | 16 ++++++-- server/lib/reporting/base-query.ts | 41 +++++--------------- server/lib/reporting/extended-information.ts | 2 +- server/lib/reporting/gdpr-request.ts | 16 ++++---- server/lib/reporting/pci-request.ts | 14 ++++--- server/lib/reporting/tsc-request.ts | 16 ++++---- server/routes/wazuh-reporting.test.ts | 2 +- server/routes/wazuh-reporting.ts | 2 + 9 files changed, 55 insertions(+), 58 deletions(-) diff --git a/public/react-services/reporting.js b/public/react-services/reporting.js index b74ed090ff..a9ad9a868f 100644 --- a/public/react-services/reporting.js +++ b/public/react-services/reporting.js @@ -89,13 +89,15 @@ export class ReportingService { } const appliedFilters = await this.visHandlers.getAppliedFilters(syscollectorFilters); - + const dataplugin = await getDataPlugin(); + const serverSideQuery = dataplugin.query.getEsQuery(); const array = await this.vis2png.checkArray(visualizationIDList); const browserTimezone = moment.tz.guess(true); const data = { array, + serverSideQuery, filters: appliedFilters.filters, time: appliedFilters.time, searchBar: appliedFilters.searchBar, diff --git a/server/controllers/wazuh-reporting.ts b/server/controllers/wazuh-reporting.ts index c8d21975ce..865b45ce1e 100644 --- a/server/controllers/wazuh-reporting.ts +++ b/server/controllers/wazuh-reporting.ts @@ -291,6 +291,7 @@ export class WazuhReportingCtrl { browserTimezone, searchBar, filters, + serverSideQuery, time, tables, section, @@ -327,7 +328,7 @@ export class WazuhReportingCtrl { apiId, new Date(from).getTime(), new Date(to).getTime(), - sanitizedFilters, + serverSideQuery, agentsFilter, indexPatternTitle, agents @@ -876,7 +877,7 @@ export class WazuhReportingCtrl { ) => { try { log('reporting:createReportsAgentsInventory', `Report started`, 'info'); - const { searchBar, filters, time, indexPatternTitle, apiId } = request.body; + const { searchBar, filters, time, indexPatternTitle, apiId, serverSideQuery } = request.body; const { agentID } = request.params; const { from, to } = time || {}; // Init @@ -1062,6 +1063,15 @@ export class WazuhReportingCtrl { }; if (time) { + // Add Vulnerability Detector filter to the Server Side Query + serverSideQuery?.bool?.must?.push?.({ + match_phrase: { + "rule.groups": { + query: "vulnerability-detector" + } + } + }); + await extendedInformation( context, printer, @@ -1070,7 +1080,7 @@ export class WazuhReportingCtrl { apiId, from, to, - sanitizedFilters + ' AND rule.groups: "vulnerability-detector"', + serverSideQuery, agentsFilter, indexPatternTitle, agentID diff --git a/server/lib/reporting/base-query.ts b/server/lib/reporting/base-query.ts index 09d1f35f50..b7c54d2a55 100644 --- a/server/lib/reporting/base-query.ts +++ b/server/lib/reporting/base-query.ts @@ -10,44 +10,23 @@ * Find more information about this on the LICENSE file. */ export function Base(pattern: string, filters: any, gte: number, lte: number, allowedAgentsFilter: any = null) { + filters?.bool?.must?.push?.({ + range: { + timestamp: { + gte: gte, + lte: lte, + format: 'epoch_millis' + } + } + }); const base = { - // index: pattern, - from: 0, size: 500, aggs: {}, sort: [], script_fields: {}, - query: { - bool: { - must: [ - { - query_string: { - query: filters, - analyze_wildcard: true, - default_field: '*' - } - }, - { - range: { - timestamp: { - gte: gte, - lte: lte, - format: 'epoch_millis' - } - } - } - ], - must_not: [] - } - } + query: filters }; - //Add allowed agents filter - if(allowedAgentsFilter?.query?.bool){ - base.query.bool.minimum_should_match = allowedAgentsFilter.query.bool.minimum_should_match; - base.query.bool.should = allowedAgentsFilter.query.bool.should; - } - return base; } diff --git a/server/lib/reporting/extended-information.ts b/server/lib/reporting/extended-information.ts index a533abff0b..4c7572edee 100644 --- a/server/lib/reporting/extended-information.ts +++ b/server/lib/reporting/extended-information.ts @@ -140,7 +140,7 @@ export async function extendedInformation( try { log( 'reporting:extendedInformation', - `Section ${section} and tab ${tab}, API is ${apiId}. From ${from} to ${to}. Filters ${filters}. Index pattern ${pattern}`, + `Section ${section} and tab ${tab}, API is ${apiId}. From ${from} to ${to}. Filters ${JSON.stringify(filters)}. Index pattern ${pattern}`, 'info' ); if (section === 'agents' && !agent) { diff --git a/server/lib/reporting/gdpr-request.ts b/server/lib/reporting/gdpr-request.ts index ff377572a0..36dc50bb32 100644 --- a/server/lib/reporting/gdpr-request.ts +++ b/server/lib/reporting/gdpr-request.ts @@ -28,10 +28,10 @@ export const topGDPRRequirements = async ( allowedAgentsFilter, pattern = getSettingDefaultValue('pattern') ) => { - if (filters.includes('rule.gdpr: exists')) { - const [head, tail] = filters.split('AND rule.gdpr: exists'); - filters = head + tail; - }; + // Remove the "rule.gdpr" filter + filters.bool.filter = filters.bool.filter.filter(filterValue => ( + JSON.stringify(filterValue) !== '{"exists":{"field":"rule.gdpr"}}' + )); try { const base = {}; @@ -86,10 +86,10 @@ export const getRulesByRequirement= async ( requirement, pattern = getSettingDefaultValue('pattern') ) => { - if (filters.includes('rule.gdpr: exists')) { - const [head, tail] = filters.split('AND rule.gdpr: exists'); - filters = head + tail; - }; + // Remove the "rule.gdpr" filter + filters.bool.filter = filters.bool.filter.filter(filterValue => ( + JSON.stringify(filterValue) !== '{"exists":{"field":"rule.gdpr"}}' + )); try { const base = {}; diff --git a/server/lib/reporting/pci-request.ts b/server/lib/reporting/pci-request.ts index 8660265d66..697eeccf18 100644 --- a/server/lib/reporting/pci-request.ts +++ b/server/lib/reporting/pci-request.ts @@ -28,9 +28,10 @@ export const topPCIRequirements = async ( allowedAgentsFilter, pattern = getSettingDefaultValue('pattern') ) => { - if (filters.includes('rule.pci_dss: exists')) { - filters = filters.replace('AND rule.pci_dss: exists', ''); - }; + // Remove the "rule.pci_dss" filter + filters.bool.filter = filters.bool.filter.filter(filterValue => ( + JSON.stringify(filterValue) !== '{"exists":{"field":"rule.pci_dss"}}' + )); try { const base = {}; @@ -100,9 +101,10 @@ export const getRulesByRequirement = async ( requirement, pattern = getSettingDefaultValue('pattern') ) => { - if (filters.includes('rule.pci_dss: exists')) { - filters = filters.replace('AND rule.pci_dss: exists', ''); - }; + // Remove the "rule.pci_dss" filter + filters.bool.filter = filters.bool.filter.filter(filterValue => ( + JSON.stringify(filterValue) !== '{"exists":{"field":"rule.pci_dss"}}' + )); try { const base = {}; diff --git a/server/lib/reporting/tsc-request.ts b/server/lib/reporting/tsc-request.ts index e326d6d054..b13a9e6a7f 100644 --- a/server/lib/reporting/tsc-request.ts +++ b/server/lib/reporting/tsc-request.ts @@ -28,9 +28,10 @@ export const topTSCRequirements = async ( allowedAgentsFilter, pattern = getSettingDefaultValue('pattern') ) => { - if (filters.includes('rule.tsc: exists')) { - filters = filters.replace('AND rule.tsc: exists', ''); - }; + // Remove the "rule.tsc" filter + filters.bool.filter = filters.bool.filter.filter(filterValue => ( + JSON.stringify(filterValue) !== '{"exists":{"field":"rule.tsc"}}' + )); try { const base = {}; @@ -92,7 +93,7 @@ export const topTSCRequirements = async ( * @returns {Array} */ export const getRulesByRequirement = async ( - context, + context, gte, lte, filters, @@ -100,9 +101,10 @@ export const getRulesByRequirement = async ( requirement, pattern = getSettingDefaultValue('pattern') ) => { - if (filters.includes('rule.tsc: exists')) { - filters = filters.replace('AND rule.tsc: exists', ''); - }; + // Remove the "rule.tsc" filter + filters.bool.filter = filters.bool.filter.filter(filterValue => ( + JSON.stringify(filterValue) !== '{"exists":{"field":"rule.tsc"}}' + )); try { const base = {}; diff --git a/server/routes/wazuh-reporting.test.ts b/server/routes/wazuh-reporting.test.ts index d14a6874af..e99232328c 100644 --- a/server/routes/wazuh-reporting.test.ts +++ b/server/routes/wazuh-reporting.test.ts @@ -189,7 +189,7 @@ describe('[endpoint] PUT /utils/configuration', () => { `(`Set custom report header and footer - Verify PDF output`, async ({footer, header, responseStatusCode, expectedMD5, tab}) => { // Mock PDF report parameters - const reportBody = { "array": [], "filters": [], "time": { "from": '2022-10-01T09:59:40.825Z', "to": '2022-10-04T09:59:40.825Z' }, "searchBar": "", "tables": [], "tab": tab, "section": "overview", "agents": false, "browserTimezone": "Europe/Madrid", "indexPatternTitle": "wazuh-alerts-*", "apiId": "default" }; + const reportBody = { "array": [], "serverSideQuery": [], "filters": [], "time": { "from": '2022-10-01T09:59:40.825Z', "to": '2022-10-04T09:59:40.825Z' }, "searchBar": "", "tables": [], "tab": tab, "section": "overview", "agents": false, "browserTimezone": "Europe/Madrid", "indexPatternTitle": "wazuh-alerts-*", "apiId": "default" }; // Define custom configuration const configurationBody = {}; diff --git a/server/routes/wazuh-reporting.ts b/server/routes/wazuh-reporting.ts index 5b4988e707..f07e509e4b 100644 --- a/server/routes/wazuh-reporting.ts +++ b/server/routes/wazuh-reporting.ts @@ -60,6 +60,7 @@ export function WazuhReportingRoutes(router: IRouter) { body: schema.object({ array: schema.any(), browserTimezone: schema.string(), + serverSideQuery: schema.maybe(schema.any()), filters: schema.maybe(schema.any()), agents: schema.maybe(schema.oneOf([agentIDValidation, schema.boolean()])), components: schema.maybe(schema.any()), @@ -124,6 +125,7 @@ export function WazuhReportingRoutes(router: IRouter) { body: schema.object({ array: schema.any(), browserTimezone: schema.string(), + serverSideQuery: schema.maybe(schema.any()), filters: schema.maybe(schema.any()), agents: schema.maybe(schema.oneOf([schema.string(), schema.boolean()])), components: schema.maybe(schema.any()), From 85a250152d6962d73c7bfa55cc122bf9e873f57b Mon Sep 17 00:00:00 2001 From: Federico Rodriguez Date: Tue, 25 Jul 2023 19:51:13 +0200 Subject: [PATCH 2/6] Added Changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 33d536ef1a..0034ca06f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ All notable changes to the Wazuh app project will be documented in this file. - Fixed the rendering of tables that contains IPs and agent overview [#5471](https://github.com/wazuh/wazuh-kibana-app/pull/5471) - Fixed the agents active coverage stat as NaN in Details panel of Agents section [#5490](https://github.com/wazuh/wazuh-kibana-app/pull/5490) - Fixed a broken documentation link to agent labels [#5687](https://github.com/wazuh/wazuh-kibana-app/pull/5687) +- Fixed the PDF report filters applied to tables [#5714](https://github.com/wazuh/wazuh-kibana-app/pull/5714) ### Removed From ee51f9552bf1f18b3364f75f27bd3a9394e5b5de Mon Sep 17 00:00:00 2001 From: Federico Rodriguez Date: Tue, 25 Jul 2023 20:00:43 +0200 Subject: [PATCH 3/6] Add comments --- public/react-services/reporting.js | 2 +- server/lib/reporting/gdpr-request.ts | 4 ++-- server/lib/reporting/pci-request.ts | 4 ++-- server/lib/reporting/tsc-request.ts | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/public/react-services/reporting.js b/public/react-services/reporting.js index a9ad9a868f..57efe1b2db 100644 --- a/public/react-services/reporting.js +++ b/public/react-services/reporting.js @@ -97,7 +97,7 @@ export class ReportingService { const data = { array, - serverSideQuery, + serverSideQuery, // Used for applying the same filters on the server side requests filters: appliedFilters.filters, time: appliedFilters.time, searchBar: appliedFilters.searchBar, diff --git a/server/lib/reporting/gdpr-request.ts b/server/lib/reporting/gdpr-request.ts index 36dc50bb32..b9520b7773 100644 --- a/server/lib/reporting/gdpr-request.ts +++ b/server/lib/reporting/gdpr-request.ts @@ -28,7 +28,7 @@ export const topGDPRRequirements = async ( allowedAgentsFilter, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.gdpr" filter + // Remove the "rule.gdpr" filter and later add it as a must filters.bool.filter = filters.bool.filter.filter(filterValue => ( JSON.stringify(filterValue) !== '{"exists":{"field":"rule.gdpr"}}' )); @@ -86,7 +86,7 @@ export const getRulesByRequirement= async ( requirement, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.gdpr" filter + // Remove the "rule.gdpr" filter and later add it as a must with the requirement filters.bool.filter = filters.bool.filter.filter(filterValue => ( JSON.stringify(filterValue) !== '{"exists":{"field":"rule.gdpr"}}' )); diff --git a/server/lib/reporting/pci-request.ts b/server/lib/reporting/pci-request.ts index 697eeccf18..b5640710d0 100644 --- a/server/lib/reporting/pci-request.ts +++ b/server/lib/reporting/pci-request.ts @@ -28,7 +28,7 @@ export const topPCIRequirements = async ( allowedAgentsFilter, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.pci_dss" filter + // Remove the "rule.pci_dss" filter and later add it as a must filters.bool.filter = filters.bool.filter.filter(filterValue => ( JSON.stringify(filterValue) !== '{"exists":{"field":"rule.pci_dss"}}' )); @@ -101,7 +101,7 @@ export const getRulesByRequirement = async ( requirement, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.pci_dss" filter + // Remove the "rule.pci_dss" filter and later add it as a must with the requirement filters.bool.filter = filters.bool.filter.filter(filterValue => ( JSON.stringify(filterValue) !== '{"exists":{"field":"rule.pci_dss"}}' )); diff --git a/server/lib/reporting/tsc-request.ts b/server/lib/reporting/tsc-request.ts index b13a9e6a7f..f4db290772 100644 --- a/server/lib/reporting/tsc-request.ts +++ b/server/lib/reporting/tsc-request.ts @@ -28,7 +28,7 @@ export const topTSCRequirements = async ( allowedAgentsFilter, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.tsc" filter + // Remove the "rule.tsc" filter and later add it as a must filters.bool.filter = filters.bool.filter.filter(filterValue => ( JSON.stringify(filterValue) !== '{"exists":{"field":"rule.tsc"}}' )); @@ -101,7 +101,7 @@ export const getRulesByRequirement = async ( requirement, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.tsc" filter + // Remove the "rule.tsc" filter and later add it as a must with the requirement filters.bool.filter = filters.bool.filter.filter(filterValue => ( JSON.stringify(filterValue) !== '{"exists":{"field":"rule.tsc"}}' )); From cce40708ef178596a877d5f507a210f9fff1156e Mon Sep 17 00:00:00 2001 From: Federico Rodriguez Date: Wed, 26 Jul 2023 11:52:09 +0200 Subject: [PATCH 4/6] Fix deep clone filters --- server/lib/reporting/base-query.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/server/lib/reporting/base-query.ts b/server/lib/reporting/base-query.ts index b7c54d2a55..7e67e541d8 100644 --- a/server/lib/reporting/base-query.ts +++ b/server/lib/reporting/base-query.ts @@ -9,8 +9,12 @@ * * Find more information about this on the LICENSE file. */ + +import { cloneDeep } from 'lodash'; + export function Base(pattern: string, filters: any, gte: number, lte: number, allowedAgentsFilter: any = null) { - filters?.bool?.must?.push?.({ + const clonedFilter = cloneDeep(filters); + clonedFilter?.bool?.must?.push?.({ range: { timestamp: { gte: gte, @@ -25,7 +29,7 @@ export function Base(pattern: string, filters: any, gte: number, lte: number, al aggs: {}, sort: [], script_fields: {}, - query: filters + query: clonedFilter }; return base; From 98c91dd5282b75de807da205974213561e4856f5 Mon Sep 17 00:00:00 2001 From: Federico Rodriguez Date: Wed, 26 Jul 2023 13:19:28 +0200 Subject: [PATCH 5/6] Fix server side requirement query --- server/lib/reporting/gdpr-request.ts | 27 ++++++----------- server/lib/reporting/pci-request.ts | 32 +++++++------------- server/lib/reporting/tsc-request.ts | 44 ++++++++++------------------ 3 files changed, 35 insertions(+), 68 deletions(-) diff --git a/server/lib/reporting/gdpr-request.ts b/server/lib/reporting/gdpr-request.ts index b9520b7773..29c8c7c690 100644 --- a/server/lib/reporting/gdpr-request.ts +++ b/server/lib/reporting/gdpr-request.ts @@ -28,10 +28,6 @@ export const topGDPRRequirements = async ( allowedAgentsFilter, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.gdpr" filter and later add it as a must - filters.bool.filter = filters.bool.filter.filter(filterValue => ( - JSON.stringify(filterValue) !== '{"exists":{"field":"rule.gdpr"}}' - )); try { const base = {}; @@ -50,12 +46,6 @@ export const topGDPRRequirements = async ( } }); - base.query.bool.must.push({ - exists: { - field: 'rule.gdpr' - } - }); - const response = await context.core.elasticsearch.client.asCurrentUser.search({ index: pattern, body: base @@ -77,7 +67,7 @@ export const topGDPRRequirements = async ( * @param {String} filters E.g: cluster.name: wazuh AND rule.groups: vulnerability * @returns {Array} */ -export const getRulesByRequirement= async ( +export const getRulesByRequirement = async ( context, gte, lte, @@ -86,10 +76,6 @@ export const getRulesByRequirement= async ( requirement, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.gdpr" filter and later add it as a must with the requirement - filters.bool.filter = filters.bool.filter.filter(filterValue => ( - JSON.stringify(filterValue) !== '{"exists":{"field":"rule.gdpr"}}' - )); try { const base = {}; @@ -119,8 +105,13 @@ export const getRulesByRequirement= async ( } }); - base.query.bool.must[0].query_string.query = - base.query.bool.must[0].query_string.query + ` AND rule.gdpr: "${requirement}"`; + base.query.bool.filter.push({ + match_phrase: { + 'rule.gdpr': { + query: requirement + } + } + }); const response = await context.core.elasticsearch.client.asCurrentUser.search({ index: pattern, @@ -138,7 +129,7 @@ export const getRulesByRequirement= async ( ) { return accum; }; - accum.push({ruleID: bucket['3'].buckets[0].key, ruleDescription: bucket.key}); + accum.push({ ruleID: bucket['3'].buckets[0].key, ruleDescription: bucket.key }); return accum; }, []); } catch (error) { diff --git a/server/lib/reporting/pci-request.ts b/server/lib/reporting/pci-request.ts index b5640710d0..cbaec5bb26 100644 --- a/server/lib/reporting/pci-request.ts +++ b/server/lib/reporting/pci-request.ts @@ -28,11 +28,7 @@ export const topPCIRequirements = async ( allowedAgentsFilter, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.pci_dss" filter and later add it as a must - filters.bool.filter = filters.bool.filter.filter(filterValue => ( - JSON.stringify(filterValue) !== '{"exists":{"field":"rule.pci_dss"}}' - )); - + try { const base = {}; @@ -49,13 +45,7 @@ export const topPCIRequirements = async ( } } }); - - base.query.bool.must.push({ - exists: { - field: 'rule.pci_dss' - } - }); - + const response = await context.core.elasticsearch.client.asCurrentUser.search({ index: pattern, body: base @@ -101,11 +91,7 @@ export const getRulesByRequirement = async ( requirement, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.pci_dss" filter and later add it as a must with the requirement - filters.bool.filter = filters.bool.filter.filter(filterValue => ( - JSON.stringify(filterValue) !== '{"exists":{"field":"rule.pci_dss"}}' - )); - + try { const base = {}; @@ -134,11 +120,13 @@ export const getRulesByRequirement = async ( } }); - base.query.bool.must[0].query_string.query = - base.query.bool.must[0].query_string.query + - ' AND rule.pci_dss: "' + - requirement + - '"'; + base.query.bool.filter.push({ + match_phrase: { + 'rule.pci_dss': { + query: requirement + } + } + }); const response = await context.core.elasticsearch.client.asCurrentUser.search({ index: pattern, diff --git a/server/lib/reporting/tsc-request.ts b/server/lib/reporting/tsc-request.ts index f4db290772..8f08db0d10 100644 --- a/server/lib/reporting/tsc-request.ts +++ b/server/lib/reporting/tsc-request.ts @@ -12,14 +12,14 @@ import { Base } from './base-query'; import { getSettingDefaultValue } from '../../../common/services/settings'; - /** - * Returns top 5 TSC requirements - * @param {Number} context Endpoint context - * @param {Number} gte Timestamp (ms) from - * @param {Number} lte Timestamp (ms) to - * @param {String} filters E.g: cluster.name: wazuh AND rule.groups: vulnerability - * @returns {Array} - */ +/** + * Returns top 5 TSC requirements + * @param {Number} context Endpoint context + * @param {Number} gte Timestamp (ms) from + * @param {Number} lte Timestamp (ms) to + * @param {String} filters E.g: cluster.name: wazuh AND rule.groups: vulnerability + * @returns {Array} + */ export const topTSCRequirements = async ( context, gte, @@ -28,10 +28,6 @@ export const topTSCRequirements = async ( allowedAgentsFilter, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.tsc" filter and later add it as a must - filters.bool.filter = filters.bool.filter.filter(filterValue => ( - JSON.stringify(filterValue) !== '{"exists":{"field":"rule.tsc"}}' - )); try { const base = {}; @@ -50,12 +46,6 @@ export const topTSCRequirements = async ( } }); - base.query.bool.must.push({ - exists: { - field: 'rule.tsc' - } - }); - const response = await context.core.elasticsearch.client.asCurrentUser.search({ index: pattern, body: base @@ -101,10 +91,6 @@ export const getRulesByRequirement = async ( requirement, pattern = getSettingDefaultValue('pattern') ) => { - // Remove the "rule.tsc" filter and later add it as a must with the requirement - filters.bool.filter = filters.bool.filter.filter(filterValue => ( - JSON.stringify(filterValue) !== '{"exists":{"field":"rule.tsc"}}' - )); try { const base = {}; @@ -134,11 +120,13 @@ export const getRulesByRequirement = async ( } }); - base.query.bool.must[0].query_string.query = - base.query.bool.must[0].query_string.query + - ' AND rule.tsc: "' + - requirement + - '"'; + base.query.bool.filter.push({ + match_phrase: { + 'rule.tsc': { + query: requirement + } + } + }); const response = await context.core.elasticsearch.client.asCurrentUser.search({ index: pattern, @@ -157,7 +145,7 @@ export const getRulesByRequirement = async ( ) { return accum; }; - accum.push({ruleID: bucket['3'].buckets[0].key, ruleDescription: bucket.key}); + accum.push({ ruleID: bucket['3'].buckets[0].key, ruleDescription: bucket.key }); return accum; }, []); } catch (error) { From 39f8af7848cbe729ce5b04249326a506ba722626 Mon Sep 17 00:00:00 2001 From: Federico Rodriguez Date: Wed, 26 Jul 2023 17:29:13 +0200 Subject: [PATCH 6/6] Fix rootkit filter --- server/lib/reporting/rootcheck-request.ts | 25 +++++++++++++++-------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/server/lib/reporting/rootcheck-request.ts b/server/lib/reporting/rootcheck-request.ts index ac48328b3a..8a46094ab9 100644 --- a/server/lib/reporting/rootcheck-request.ts +++ b/server/lib/reporting/rootcheck-request.ts @@ -46,9 +46,11 @@ export const top5RootkitsDetected = async ( } }); - base.query.bool.must[0].query_string.query = - base.query.bool.must[0].query_string.query + - ' AND "rootkit" AND "detected"'; + base.query?.bool?.must?.push({ + query_string: { + query: '"rootkit" AND "detected"' + } + }); const response = await context.core.elasticsearch.client.asCurrentUser.search({ index: pattern, @@ -97,9 +99,11 @@ export const agentsWithHiddenPids = async ( } }); - base.query.bool.must[0].query_string.query = - base.query.bool.must[0].query_string.query + - ' AND "process" AND "hidden"'; + base.query?.bool?.must?.push({ + query_string: { + query: '"process" AND "hidden"' + } + }); // "aggregations": { "1": { "value": 1 } } const response = await context.core.elasticsearch.client.asCurrentUser.search({ @@ -126,7 +130,7 @@ export const agentsWithHiddenPids = async ( * @param {String} filters E.g: cluster.name: wazuh AND rule.groups: vulnerability * @returns {Array} */ -export const agentsWithHiddenPorts = async( +export const agentsWithHiddenPorts = async ( context, gte, lte, @@ -147,8 +151,11 @@ export const agentsWithHiddenPorts = async( } }); - base.query.bool.must[0].query_string.query = - base.query.bool.must[0].query_string.query + ' AND "port" AND "hidden"'; + base.query?.bool?.must?.push({ + query_string: { + query: '"port" AND "hidden"' + } + }); // "aggregations": { "1": { "value": 1 } } const response = await context.core.elasticsearch.client.asCurrentUser.search({