From 33fb49e52bc285332ced6c64b0aec552bac37ede Mon Sep 17 00:00:00 2001 From: Bruce Hodge Date: Thu, 5 Oct 2023 10:10:31 -0400 Subject: [PATCH 1/2] Fixed issues with pipeline test failures --- packages/tychon/changelog.yml | 2 +- .../test/pipeline/test-arp.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 9 +- .../test/pipeline/test-cpu.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 9 +- .../_dev/test/pipeline/test-cve.json | 10 +- .../test/pipeline/test-cve.json-expected.json | 14 +- .../elasticsearch/ingest_pipeline/default.yml | 10 +- .../test/pipeline/test-epp.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 9 +- .../test-exposedservice.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 9 +- .../_dev/test/pipeline/test-harddrive.json | 130 +++++++++--------- .../pipeline/test-harddrive.json-config.yml | 1 + .../test-harddrive.json-expected.json | 12 +- .../elasticsearch/ingest_pipeline/default.yml | 11 +- .../_dev/test/pipeline/test-hardware.json | 8 +- .../pipeline/test-hardware.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 11 +- .../_dev/test/pipeline/test-host.json | 8 +- .../pipeline/test-host.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 11 +- .../test/pipeline/test-networkadapter.json | 8 +- .../test-networkadapter.json-expected.json | 9 +- .../elasticsearch/ingest_pipeline/default.yml | 72 +++++----- .../tychon_networkadapter/fields/fields.yml | 12 +- .../pipeline/test-patch.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 9 +- .../test/pipeline/test-softwareinventory.json | 8 +- .../test-softwareinventory.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 11 +- .../pipeline/test-stig.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 9 +- .../data_stream/tychon_stig/fields/fields.yml | 7 +- .../_dev/test/pipeline/test-volumes.json | 8 +- .../pipeline/test-volumes.json-expected.json | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 11 +- packages/tychon/docs/README.md | 15 +- packages/tychon/elasticIntegration/esLogs.sh | 1 + .../tychon/elasticIntegration/installPkg.sh | 18 +++ .../tychon/elasticIntegration/kibanLogs.sh | 1 + .../tychon/elasticIntegration/startDocker.sh | 14 ++ .../tychon/elasticIntegration/startElastic.sh | 10 ++ .../tychon/elasticIntegration/startFleet.sh | 8 ++ .../elasticIntegration/startRegistry.sh | 6 + .../tychon/elasticIntegration/stopDocker.sh | 6 + packages/tychon/manifest.yml | 2 +- 47 files changed, 304 insertions(+), 245 deletions(-) create mode 100644 packages/tychon/elasticIntegration/esLogs.sh create mode 100644 packages/tychon/elasticIntegration/installPkg.sh create mode 100644 packages/tychon/elasticIntegration/kibanLogs.sh create mode 100644 packages/tychon/elasticIntegration/startDocker.sh create mode 100644 packages/tychon/elasticIntegration/startElastic.sh create mode 100644 packages/tychon/elasticIntegration/startFleet.sh create mode 100644 packages/tychon/elasticIntegration/startRegistry.sh create mode 100644 packages/tychon/elasticIntegration/stopDocker.sh diff --git a/packages/tychon/changelog.yml b/packages/tychon/changelog.yml index f2c6caef04e..581aabf21dd 100644 --- a/packages/tychon/changelog.yml +++ b/packages/tychon/changelog.yml @@ -1,4 +1,4 @@ -- version: 0.0.54 +- version: 0.0.55 changes: - description: Fixed incorrect types in field.yml and cleaned up formatting type: enhancement diff --git a/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-expected.json b/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-expected.json index a82189f595f..2bbfaf00f64 100644 --- a/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-expected.json +++ b/packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:23.418865635Z", + "@timestamp": "2023-10-05T13:48:07.498243391Z", "destination": { "hostname": "Request timed out (700 ms)", "ip": "10.70.4.16", @@ -15,7 +15,7 @@ "category": [ "network" ], - "ingested": "2023-09-25T21:55:23.418865635Z", + "ingested": "2023-10-05T13:48:07.498243391Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml index 05580cd8939..a65baf9d532 100644 --- a/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml @@ -18,14 +18,15 @@ processors: - set: field: event.module value: tychon - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true - convert: field: host.uptime type: string diff --git a/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-expected.json b/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-expected.json index 0c7ea16482a..194fcdb504d 100644 --- a/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-expected.json +++ b/packages/tychon/data_stream/tychon_cpu/_dev/test/pipeline/test-cpu.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:23.632476469Z", + "@timestamp": "2023-10-05T13:48:07.751417637Z", "ecs": { "version": "8.8.0" }, @@ -9,7 +9,7 @@ "category": [ "configuration" ], - "ingested": "2023-09-25T21:55:23.632476469Z", + "ingested": "2023-10-05T13:48:07.751417637Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml index 41090539845..72a2b96542a 100644 --- a/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_cpu/elasticsearch/ingest_pipeline/default.yml @@ -12,14 +12,15 @@ processors: - set: field: ecs.version value: 8.8.0 - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true - convert: field: host.uptime type: string diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json index c72268428c3..9a6c1d577d0 100644 --- a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json @@ -3,7 +3,7 @@ { "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", "host.cloud.hosted": false, - "host.domain": null, + "host.domain": "", "host.hardware.bios.name": "Phoenix Technologies LTD", "host.hardware.bios.version": "6.00", "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", @@ -12,10 +12,14 @@ "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", "host.hostname": "BOTANYBAYEP1", "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", - "host.ip": "10.1.9.51", + "host.ip": [ + "10.1.9.51" + ], "host.ipv4": "10.1.9.51", "host.ipv6": "", - "host.mac": "00:0C:29:93:6A:F3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], "host.oem.manufacturer": "", "host.oem.model": "", "host.os.build": "19045", diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json index aa333a929a1..e035b567a9c 100644 --- a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:23.823090043Z", + "@timestamp": "2023-10-05T13:48:07.991051920Z", "ecs": { "version": "8.8.0" }, @@ -9,7 +9,7 @@ "category": [ "vulnerability" ], - "ingested": "2023-09-25T21:55:23.823090043Z", + "ingested": "2023-10-05T13:48:07.991051920Z", "kind": "state", "module": "tychon", "outcome": "success", @@ -22,7 +22,7 @@ "cloud": { "hosted": false }, - "domain": null, + "domain": "", "hardware": { "bios": { "name": "Phoenix Technologies LTD", @@ -37,12 +37,16 @@ }, "hostname": "BOTANYBAYEP1", "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", - "ip": "10.1.9.51", + "ip": [ + "10.1.9.51" + ], "ipv4": [ "10.1.9.51" ], "ipv6": "", - "mac": "00-0C-29-93-6A-F3", + "mac": [ + "00-0C-29-93-6A-F3" + ], "oem": { "manufacturer": "", "model": "" diff --git a/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml index 82680cae7cf..c618184d707 100644 --- a/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml @@ -31,14 +31,15 @@ processors: - set: field: event.module value: tychon - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true - convert: field: host.uptime type: string @@ -82,6 +83,7 @@ processors: - convert: field: vulnerability.score.base type: float + ignore_failure: true - convert: field: vulnerability.year type: long diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json index 2000bcf3339..774a059e775 100644 --- a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:24.027955596Z", + "@timestamp": "2023-10-05T13:48:08.349377955Z", "ecs": { "version": "8.8.0" }, @@ -24,7 +24,7 @@ "category": [ "configuration" ], - "ingested": "2023-09-25T21:55:24.027955596Z", + "ingested": "2023-10-05T13:48:08.349377955Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml index 0a966f2d258..8c3bbeacd7a 100644 --- a/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml @@ -24,14 +24,15 @@ processors: - set: field: event.type value: [info] - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true - convert: field: host.uptime type: string diff --git a/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-expected.json b/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-expected.json index ac12640cb35..248cb3c542b 100644 --- a/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-expected.json +++ b/packages/tychon/data_stream/tychon_exposedservice/_dev/test/pipeline/test-exposedservice.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:24.225040722Z", + "@timestamp": "2023-10-05T13:48:08.716336204Z", "ecs": { "version": "8.8.0" }, @@ -9,7 +9,7 @@ "category": [ "network" ], - "ingested": "2023-09-25T21:55:24.225040722Z", + "ingested": "2023-10-05T13:48:08.716336204Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml index 3436d4ec7dc..245b06f1437 100644 --- a/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_exposedservice/elasticsearch/ingest_pipeline/default.yml @@ -25,14 +25,15 @@ processors: - set: field: event.kind value: state - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true - convert: field: host.uptime type: string diff --git a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json index 5f452a4b541..6e32362133a 100644 --- a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json +++ b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json @@ -1,65 +1,69 @@ { - "events": [ - { - "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", - "host.os.name": "Microsoft Windows 10 Pro", - "disk.location.device": "0", - "disk.partition_style": "MBR", - "host.hardware.manufacturer": "VMware, Inc.", - "disk.serial_number": "", - "host.os.build": "19045", - "host.ip": "10.1.9.51", - "disk.boot_from": "true", - "host.hostname": "BOTANYBAYEP1", - "disk.adapter.serial_number": "", - "disk.location.adapter": "0", - "disk.system": "true", - "script.start": "2023-09-25T19:03:48Z", - "disk.size": "42949672960", - "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", - "host.os.organization": "", - "host.hardware.owner": "admin", - "disk.name": "VMware Virtual disk", - "host.workgroup": "WORKGROUP", - "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", - "host.ipv4": "10.1.9.51", - "host.oem.model": "", - "disk.is_boot": "true", - "host.hardware.bios.name": "Phoenix Technologies LTD", - "host.type": "Workstation", - "disk.model": "Virtual disk ", - "disk.health_status": "Healthy", - "disk.number": "0", - "script.current_duration": "13711.00", - "disk.offline": "false", - "disk.location.bus": "3", - "disk.location.pci_slot": "160", - "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", - "host.mac": "00:0C:29:93:6A:F3", - "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", - "host.uptime": "614991.6714276", - "id": "ec85d3b7de5e9d8717b7799a134bd829beada75c", - "disk.firmware.version": "2.0 ", - "disk.location.function": "0", - "script.current_time": "2023-09-25T19:04:02Z", - "disk.bus_type": "SAS", - "disk.manufacturer": "VMware ", - "disk.clustered": "false", - "script.name": "Get-TychonHardDriveInfo.ps1", - "script.version": "2.3.141.0", - "host.oem.manufacturer": "", - "host.os.description": "", - "host.os.version": "2009", - "disk.operational_status": "Online", - "disk.number_of_partitions": "3", - "host.ipv6": "", - "host.hardware.bios.version": "6.00", - "disk.id": "{1}\\\\BOTANYBAYEP1\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{c3aa4c8f-3a0e-11ed-91c8-806e6f6e6963}:DI:\\\\?\\scsi#disk\u0026ven_vmware\u0026prod_virtual_disk#5\u00261ec51bf7\u00260\u0026000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\"", - "disk.highly_available": "false", - "script.type": "powershell", - "host.domain": "", - "host.cloud.hosted": "false", - "host.os.family": "Windows" - } - ] + "events": [ + { + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.os.name": "Microsoft Windows 10 Pro", + "disk.location.device": "0", + "disk.partition_style": "MBR", + "host.hardware.manufacturer": "VMware, Inc.", + "disk.serial_number": "", + "host.os.build": "19045", + "host.ip": [ + "10.1.9.51" + ], + "disk.boot_from": "true", + "host.hostname": "BOTANYBAYEP1", + "disk.adapter.serial_number": "", + "disk.location.adapter": "0", + "disk.system": "true", + "script.start": "2023-09-25T19:03:48Z", + "disk.size": "42949672960", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.os.organization": "", + "host.hardware.owner": "admin", + "disk.name": "VMware Virtual disk", + "host.workgroup": "WORKGROUP", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "host.ipv4": "10.1.9.51", + "host.oem.model": "", + "disk.is_boot": "true", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.type": "Workstation", + "disk.model": "Virtual disk", + "disk.health_status": "Healthy", + "disk.number": "0", + "script.current_duration": "13711.00", + "disk.offline": "false", + "disk.location.bus": "3", + "disk.location.pci_slot": "160", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.uptime": "614991.6714276", + "id": "ec85d3b7de5e9d8717b7799a134bd829beada75c", + "disk.location.function": "0", + "script.current_time": "2023-09-25T19:04:02Z", + "disk.bus_type": "SAS", + "disk.firmware_version": "2.0", + "disk.manufacturer": "VMware", + "disk.clustered": "false", + "script.name": "Get-TychonHardDriveInfo.ps1", + "script.version": "2.3.141.0", + "host.oem.manufacturer": "", + "host.os.description": "", + "host.os.version": "2009", + "disk.operational_status": "Online", + "disk.number_of_partitions": "3", + "host.ipv6": "", + "host.hardware.bios.version": "6.00", + "disk.id": "{1}\\\\BOTANYBAYEP1\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{c3aa4c8f-3a0e-11ed-91c8-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\"", + "disk.highly_available": "false", + "script.type": "powershell", + "host.domain": "", + "host.cloud.hosted": "false", + "host.os.family": "Windows" + } + ] } \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml index 302199c74f9..bec4f152d4a 100644 --- a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml +++ b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml @@ -1,3 +1,4 @@ dynamic_fields: "@timestamp": ".*" event.ingested: ".*" + \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-expected.json b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-expected.json index 80e03157b46..66068c765c4 100644 --- a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-expected.json +++ b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:24.421648324Z", + "@timestamp": "2023-10-05T13:48:09.028702894Z", "disk": { "adapter": { "serial_number": "" @@ -9,9 +9,7 @@ "boot_from": "true", "bus_type": "SAS", "clustered": "false", - "firmware": { - "version": "2.0 " - }, + "firmware_version": "2.0", "health_status": "Healthy", "highly_available": "false", "id": "{1}\\\\BOTANYBAYEP1\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{c3aa4c8f-3a0e-11ed-91c8-806e6f6e6963}:DI:\\\\?\\scsi#disk\u0026ven_vmware\u0026prod_virtual_disk#5\u00261ec51bf7\u00260\u0026000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\"", @@ -23,8 +21,8 @@ "function": "0", "pci_slot": "160" }, - "manufacturer": "VMware ", - "model": "Virtual disk ", + "manufacturer": "VMware", + "model": "Virtual disk", "name": "VMware Virtual disk", "number": "0", "number_of_partitions": "3", @@ -42,7 +40,7 @@ "category": [ "configuration" ], - "ingested": "2023-09-25T21:55:24.421648324Z", + "ingested": "2023-10-05T13:48:09.028702894Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml index 8db5d7fa333..3d924cbe5e0 100644 --- a/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_harddrive/elasticsearch/ingest_pipeline/default.yml @@ -15,20 +15,13 @@ processors: - set: field: event.kind value: state - - split: - field: host.ip - separator: "," - ignore_missing: true - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true - split: - field: host.mac + field: host.ipv4 separator: "," ignore_missing: true - convert: diff --git a/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json index dfffaac7c28..233194ba2e9 100644 --- a/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json +++ b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json @@ -4,7 +4,9 @@ "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", "script.type": "powershell", "host.os.build": "19045", - "host.ip": "10.1.9.51", + "host.ip": [ + "10.1.9.51" + ], "script.version": "2.3.141.0", "host.hostname": "BOTANYBAYEP1", "host.hardware.manufacturer": "VMware, Inc.", @@ -26,7 +28,9 @@ "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", "device.class": "System", "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", - "host.mac": "00:0C:29:93:6A:F3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], "device.friendly_name": "Motherboard resources", "host.oem.model": "", "host.uptime": "560978.5582333", diff --git a/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-expected.json b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-expected.json index 6eeb5394629..370b07e2e04 100644 --- a/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-expected.json +++ b/packages/tychon/data_stream/tychon_hardware/_dev/test/pipeline/test-hardware.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:24.604662201Z", + "@timestamp": "2023-10-05T13:48:09.300032381Z", "device": { "class": "System", "description": "Motherboard resources", @@ -19,7 +19,7 @@ "category": [ "configuration" ], - "ingested": "2023-09-25T21:55:24.604662201Z", + "ingested": "2023-10-05T13:48:09.300032381Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml index 07adaabe93f..1bf708d2ab3 100644 --- a/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_hardware/elasticsearch/ingest_pipeline/default.yml @@ -21,20 +21,13 @@ processors: - set: field: event.module value: tychon - - split: - field: host.ip - separator: "," - ignore_missing: true - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true - split: - field: host.mac + field: host.ipv4 separator: "," ignore_missing: true - convert: diff --git a/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json index 14f5c2d6271..ac2c4bebf8a 100644 --- a/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json +++ b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json @@ -63,11 +63,15 @@ "tychon.definition.stig": "2023-08-16T17:18:48Z", "event.deviceguard.basevirtualizationsupport.available": "false", "host.cpu.count": "2", - "host.ip": "10.1.9.51", + "host.ip": [ + "10.1.9.51" + ], "event.deviceguard.systemguardsecurelaunch.enabled": "false", "host.security.antivirus.state": "On", "script.name": "Get-TychonHostInfo.ps1", - "host.mac": "00:0C:29:93:6A:F3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], "event.deviceguard.credentialguard.enabled": "false", "host.os.description": "", "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", diff --git a/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-expected.json b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-expected.json index 75aeb57a048..89a8737df6c 100644 --- a/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-expected.json +++ b/packages/tychon/data_stream/tychon_host/_dev/test/pipeline/test-host.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:24.781576644Z", + "@timestamp": "2023-10-05T13:48:09.537119084Z", "ecs": { "version": "8.8.0" }, @@ -48,7 +48,7 @@ "status": "Off" } }, - "ingested": "2023-09-25T21:55:24.781576644Z", + "ingested": "2023-10-05T13:48:09.537119084Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml index b26a6b0b418..46f52b94213 100644 --- a/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_host/elasticsearch/ingest_pipeline/default.yml @@ -18,20 +18,13 @@ processors: - set: field: event.module value: tychon - - split: - field: host.ip - separator: "," - ignore_missing: true - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true - split: - field: host.mac + field: host.ipv4 separator: "," ignore_missing: true - convert: diff --git a/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json index 0d6f1310a3c..807e43f4aa6 100644 --- a/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json +++ b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json @@ -29,7 +29,9 @@ "host.cloud.hosted": "false", "host.hardware.owner": "admin", "script.version": "2.3.141.0", - "host.mac": "00:0C:29:93:6A:F3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], "host.adapter.wifi.channel": "", "host.adapter.driver.name": "Driver Date 2018-06-12 Version 12.17.10.8 NDIS 6.50", "host.ipv6": "", @@ -59,7 +61,9 @@ "host.adapter.description": "Intel(R) 82574L Gigabit Network Connection", "script.start": "2023-09-25T20:03:46Z", "host.adapter.driver.date": "2018-06-12", - "host.ip": "10.1.9.51", + "host.ip": [ + "10.1.9.51" + ], "host.adapter.alias": "Ethernet0", "host.adapter.mac": "00-0C-29-93-6A-F3", "host.adapter.media.type": "802.3", diff --git a/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-expected.json b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-expected.json index 706baa91834..8cc0a71fc85 100644 --- a/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-expected.json +++ b/packages/tychon/data_stream/tychon_networkadapter/_dev/test/pipeline/test-networkadapter.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:25.005723813Z", + "@timestamp": "2023-10-05T13:48:09.779537418Z", "ecs": { "version": "8.8.0" }, @@ -9,7 +9,7 @@ "category": [ "configuration" ], - "ingested": "2023-09-25T21:55:25.005723813Z", + "ingested": "2023-10-05T13:48:09.779537418Z", "kind": "state", "module": "tychon", "type": [ @@ -38,7 +38,7 @@ "ip_filter": { "enabled": "false" }, - "link_speed": 1, + "link_speed": 0, "mac": "00-0C-29-93-6A-F3", "media": { "connection_state": "Connected", @@ -63,8 +63,7 @@ "radio_type": "", "signal_percent": "", "ssid": "" - }, - "wins_server": "" + } }, "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", "cloud": { diff --git a/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml index 88e928c63c3..08db5fe566c 100644 --- a/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_networkadapter/elasticsearch/ingest_pipeline/default.yml @@ -14,44 +14,61 @@ processors: value: 8.8.0 - set: field: event.kind - value: state + value: state + - remove: + field: host.adapter.ip + if: ctx.host.adapter.ip == '' + - remove: + field: host.adapter.gateway + if: ctx.host.adapter.gateway == '' + - remove: + field: host.adapter.dhcp.server + if: ctx.host.adapter.dhcp.server == '' + - remove: + field: host.adapter.dhcp.lease_obtained + if: ctx.host.adapter.dhcp.lease_obtained == '' + - remove: + field: host.adapter.dhcp.lease_expires + if: ctx.host.adapter.dhcp.lease_expires == '' + - remove: + field: host.adapter.driver.date + if: ctx.host.adapter.driver.date == '' + - remove: + field: host.adapter.wins_server + if: ctx.host.adapter.wins_server == '' - set: field: link_speed value: "{{host.adapter.link_speed}}" - set: field: host.adapter.link_speed - value: 1 + value: 0 - script: - source: | + source: + | if(ctx['link_speed'].contains(' ')){ - String[] link_Speed=ctx['link_speed'].splitOnToken(' '); + String[] linkSpeed=ctx['link_speed'].splitOnToken(' '); ctx.remove('link_speed'); - ctx['host.adapter.link_speed']=Long.parseLong(link_Speed[0]); - if(link_Speed[1]=='Kbps'){ + ctx['host.adapter.link_speed']=Long.parseLong(linkSpeed[0]); + if(linkSpeed[1]=='Kbps'){ ctx['host.adapter.link_speed']*=1024 } - if(link_Speed[1]=='Mbps'){ + if(linkSpeed[1]=='Mbps'){ ctx['host.adapter.link_speed']*=1048576 } - if(link_Speed[1]=='Gbps'){ + if(linkSpeed[1]=='Gbps'){ ctx['host.adapter.link_speed']*=1073741824 } + } else { + ctx.remove('link_speed'); } ignore_failure: true - - split: - field: host.ip - separator: "," - ignore_missing: true - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true - split: - field: host.mac + field: host.ipv4 separator: "," ignore_missing: true - convert: @@ -84,27 +101,6 @@ processors: - set: field: event.type value: [info] - - remove: - field: host.adapter.ip - if: ctx.host.adapter.ip == '' - - remove: - field: host.adapter.wins_server - if: ctx.host.adapter.wins_server == '' - - remove: - field: host.adapter.gateway - if: ctx.host.adapter.gateway == '' - - remove: - field: host.adapter.dhcp.server - if: ctx.host.adapter.dhcp.server == '' - - remove: - field: host.adapter.dhcp.lease_obtained - if: ctx.host.adapter.dhcp.lease_obtained == '' - - remove: - field: host.adapter.dhcp.lease_expires - if: ctx.host.adapter.dhcp.lease_expires == '' - - remove: - field: host.adapter.driver.date - if: ctx.host.adapter.driver.date == '' - convert: field: script.current_duration type: float diff --git a/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml b/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml index d12f09a5243..1d92ebc5600 100644 --- a/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_networkadapter/fields/fields.yml @@ -9,13 +9,13 @@ description: The Alias given to this adapter - name: description type: text - description: The network adatper description + description: The network adapter description - name: dhcp type: group fields: - name: enabled type: boolean - description: Is DHCP Enabled on this adatper + description: Is DHCP Enabled on this adapter - name: lease_expires type: date description: When does this DHCP lease expire @@ -27,7 +27,7 @@ description: What IP Address was the DHCP IP obtained from. - name: domain type: text - description: What domain was assigned to this adatper + description: What domain was assigned to this adapter - name: driver type: group fields: @@ -57,7 +57,7 @@ description: ID Of the adapter - name: ip type: ip - description: IP Addresses assigned to the adatper + description: IP Addresses assigned to the adapter - name: ip_filter type: group fields: @@ -66,10 +66,10 @@ description: Is IP Filtering Enabled - name: wins_server type: ip - description: The WINS Server attached to this adatper + description: The WINS Server attached to this adapter - name: link_speed type: long - description: Link speed of the adatper + description: Link speed of the adapter - name: mac type: keyword description: Hardware MAC Address diff --git a/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-expected.json b/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-expected.json index 4e291b54af3..7ea90e1af0f 100644 --- a/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-expected.json +++ b/packages/tychon/data_stream/tychon_patch/_dev/test/pipeline/test-patch.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:25.184645812Z", + "@timestamp": "2023-10-05T13:48:10.040484755Z", "ecs": { "version": "8.8.0" }, @@ -9,7 +9,7 @@ "category": [ "vulnerability" ], - "ingested": "2023-09-25T21:55:25.184645812Z", + "ingested": "2023-10-05T13:48:10.040484755Z", "kind": "state", "module": "tychon", "outcome": "failure", diff --git a/packages/tychon/data_stream/tychon_patch/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_patch/elasticsearch/ingest_pipeline/default.yml index 3d6d422c24b..bfc8a8fcc9d 100644 --- a/packages/tychon/data_stream/tychon_patch/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_patch/elasticsearch/ingest_pipeline/default.yml @@ -32,14 +32,15 @@ processors: - set: field: event.module value: tychon - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true - convert: field: host.uptime type: string diff --git a/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json index b17da9fa4a8..9c880f7f052 100644 --- a/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json +++ b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json @@ -6,7 +6,9 @@ "script.current_time": "2023-09-25T04:03:27Z", "package.size": "", "host.os.build": "19045", - "host.ip": "10.1.9.51", + "host.ip": [ + "10.1.9.51" + ], "host.hostname": "BOTANYBAYEP1", "host.hardware.manufacturer": "VMware, Inc.", "script.start": "2023-09-25T04:03:20Z", @@ -30,7 +32,9 @@ "package.name": "McAfee Agent", "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", - "host.mac": "00:0C:29:93:6A:F3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], "package.version_major": "5", "host.oem.model": "", "host.uptime": "560963.1794915", diff --git a/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-expected.json b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-expected.json index a3ce044132b..7bdb937e8d6 100644 --- a/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-expected.json +++ b/packages/tychon/data_stream/tychon_softwareinventory/_dev/test/pipeline/test-softwareinventory.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:25.376048106Z", + "@timestamp": "2023-10-05T13:48:10.296137904Z", "ecs": { "version": "8.8.0" }, @@ -9,7 +9,7 @@ "category": [ "package" ], - "ingested": "2023-09-25T21:55:25.376048106Z", + "ingested": "2023-10-05T13:48:10.296137904Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml index c5d2be26924..26cbade110e 100644 --- a/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_softwareinventory/elasticsearch/ingest_pipeline/default.yml @@ -20,20 +20,13 @@ processors: field: package.installed value: "1970-01-01T00:00:01Z" if: ctx.package.installed == '' - - split: - field: host.ip - separator: "," - ignore_missing: true - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true - split: - field: host.mac + field: host.ipv4 separator: "," ignore_missing: true - convert: diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json index 67fd3531118..c2f5503e944 100644 --- a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:25.564944350Z", + "@timestamp": "2023-10-05T13:48:10.602964719Z", "benchmark": { "generated_utc": "1664376309000", "hash": "858A198F20EB96D46BE795A24F17C19D25CEF91AA919E8D19A13A4E6AA65D667", @@ -18,7 +18,7 @@ "vulnerability", "configuration" ], - "ingested": "2023-09-25T21:55:25.564944350Z", + "ingested": "2023-10-05T13:48:10.602964719Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml index 03b88ca4302..2bf85b3687b 100644 --- a/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml @@ -19,14 +19,15 @@ processors: - set: field: ecs.version value: '8.8.0' - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true + - split: + field: host.ipv4 + separator: "," + ignore_missing: true - convert: field: host.uptime type: string diff --git a/packages/tychon/data_stream/tychon_stig/fields/fields.yml b/packages/tychon/data_stream/tychon_stig/fields/fields.yml index 9b66266c59e..a5fed1a0465 100644 --- a/packages/tychon/data_stream/tychon_stig/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_stig/fields/fields.yml @@ -4,9 +4,6 @@ - name: id description: Benchmark ID. type: keyword - - name: guid - description: Benchmark GUID. - type: keyword - name: generated_utc description: Benchmark UTC. type: date @@ -67,8 +64,8 @@ - name: benchmark type: group fields: - - name: guid - description: Benchmark Rule GUID. + - name: id + description: Benchmark Rule ID. type: keyword - name: profile.id description: Benchmark Rule Profile Identifier. diff --git a/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json index bcd83cbbc9b..8af415927e9 100644 --- a/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json +++ b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json @@ -7,7 +7,9 @@ "volume.size": "52424704", "script.type": "powershell", "host.os.build": "19045", - "host.ip": "10.1.9.51", + "host.ip": [ + "10.1.9.51" + ], "host.hostname": "BOTANYBAYEP1", "host.hardware.manufacturer": "VMware, Inc.", "script.start": "2023-09-25T21:04:42Z", @@ -30,7 +32,9 @@ "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", "volume.dirty_bit_set": "false", "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", - "host.mac": "00:0C:29:93:6A:F3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], "volume.id": "\\\\?\\Volume{2d47d57f-0000-0000-0000-100000000000}\\", "volume.automount": "true", "host.oem.model": "", diff --git a/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-expected.json b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-expected.json index 7a0f32749d9..71ec1f6fdd6 100644 --- a/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-expected.json +++ b/packages/tychon/data_stream/tychon_volume/_dev/test/pipeline/test-volumes.json-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-25T21:55:25.744268763Z", + "@timestamp": "2023-10-05T13:48:10.874308564Z", "ecs": { "version": "8.8.0" }, @@ -9,7 +9,7 @@ "category": [ "configuration" ], - "ingested": "2023-09-25T21:55:25.744268763Z", + "ingested": "2023-10-05T13:48:10.874308564Z", "kind": "state", "module": "tychon", "type": [ diff --git a/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml index cf42e4afd48..2a7a68d5816 100644 --- a/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml @@ -18,20 +18,13 @@ processors: - set: field: event.module value: tychon - - split: - field: host.ip - separator: "," - ignore_missing: true - - split: - field: host.ipv4 - separator: "," - ignore_missing: true - gsub: field: host.mac pattern: ":" replacement: "-" + ignore_missing: true - split: - field: host.mac + field: host.ipv4 separator: "," ignore_missing: true - convert: diff --git a/packages/tychon/docs/README.md b/packages/tychon/docs/README.md index 87e81503ecc..4c9cd4c1ad1 100644 --- a/packages/tychon/docs/README.md +++ b/packages/tychon/docs/README.md @@ -807,12 +807,12 @@ The TYCHON script scans an endpoint's Network Adapter Configurations and returns | event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | host.adapter.alias | The Alias given to this adapter | keyword | -| host.adapter.description | The network adatper description | text | -| host.adapter.dhcp.enabled | Is DHCP Enabled on this adatper | boolean | +| host.adapter.description | The network adapter description | text | +| host.adapter.dhcp.enabled | Is DHCP Enabled on this adapter | boolean | | host.adapter.dhcp.lease_expires | When does this DHCP lease expire | date | | host.adapter.dhcp.lease_obtained | When was the DHCP lease obtained | date | | host.adapter.dhcp.server | What IP Address was the DHCP IP obtained from. | ip | -| host.adapter.domain | What domain was assigned to this adatper | text | +| host.adapter.domain | What domain was assigned to this adapter | text | | host.adapter.driver.date | Date the driver was installed | date | | host.adapter.driver.description | Description of the driver | text | | host.adapter.driver.file_name | Driver File name | keyword | @@ -821,9 +821,9 @@ The TYCHON script scans an endpoint's Network Adapter Configurations and returns | host.adapter.driver.version | Version of the driver | keyword | | host.adapter.gateway | Gateway IP Address | ip | | host.adapter.id | ID Of the adapter | keyword | -| host.adapter.ip | IP Addresses assigned to the adatper | ip | +| host.adapter.ip | IP Addresses assigned to the adapter | ip | | host.adapter.ip_filter.enabled | Is IP Filtering Enabled | boolean | -| host.adapter.link_speed | Link speed of the adatper | long | +| host.adapter.link_speed | Link speed of the adapter | long | | host.adapter.mac | Hardware MAC Address | keyword | | host.adapter.media.connection_state | Current Connection State | keyword | | host.adapter.media.type | Current Connection Media Type | keyword | @@ -841,7 +841,7 @@ The TYCHON script scans an endpoint's Network Adapter Configurations and returns | host.adapter.wifi.radio_type | The radio type of the connected WIFI Router | keyword | | host.adapter.wifi.signal_percent | Signal strenth to connected WIFI Router | integer | | host.adapter.wifi.ssid | The Connected WIFI Router SSID | keyword | -| host.adapter.wins_server | The WINS Server attached to this adatper | ip | +| host.adapter.wins_server | The WINS Server attached to this adapter | ip | | host.biossn | Host BIOS Serial Number. | keyword | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.hardware.bios.name | Host BIOS Name. | keyword | @@ -988,7 +988,6 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | agent.version | Version of the agent. | keyword | | benchmark.count | Benchmark Summary Name List Item Count. | long | | benchmark.generated_utc | Benchmark UTC. | date | -| benchmark.guid | Benchmark GUID. | keyword | | benchmark.hash | Benchmark SHA256 Hash | keyword | | benchmark.id | Benchmark ID. | keyword | | benchmark.list | Benchmark Summary Name List. | keyword | @@ -1043,7 +1042,7 @@ The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/X | package.name | Package name | keyword | | package.reference | Home page or reference URL of the software in this package, if available. | keyword | | package.type | Type of package. This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. | keyword | -| rule.benchmark.guid | Benchmark Rule GUID. | keyword | +| rule.benchmark.id | Benchmark Rule ID. | keyword | | rule.benchmark.profile.id | Benchmark Rule Profile Identifier. | keyword | | rule.benchmark.title | Benchmark Rule Title. | keyword | | rule.finding_id | Benchmark Rule Finding Identifier. | keyword | diff --git a/packages/tychon/elasticIntegration/esLogs.sh b/packages/tychon/elasticIntegration/esLogs.sh new file mode 100644 index 00000000000..2ded31d0567 --- /dev/null +++ b/packages/tychon/elasticIntegration/esLogs.sh @@ -0,0 +1 @@ +journalctl -u elasticsearch -f diff --git a/packages/tychon/elasticIntegration/installPkg.sh b/packages/tychon/elasticIntegration/installPkg.sh new file mode 100644 index 00000000000..0bc9215632b --- /dev/null +++ b/packages/tychon/elasticIntegration/installPkg.sh @@ -0,0 +1,18 @@ +#!/bin/sh +$(elastic-package stack shellinit) +cd ./tychon +elastic-package uninstall +elastic-package clean +if elastic-package check ;then + while read line; do + if [[ $line == "version:"* ]]; then + set -- $line + version=$2 + fi + done < manifest.yml + docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml down + cp /root/elasticIntegration/build/packages/tychon-$version.zip /root/.elastic-package/stack/development/ + docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml build + docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml up -d + elastic-package install +fi diff --git a/packages/tychon/elasticIntegration/kibanLogs.sh b/packages/tychon/elasticIntegration/kibanLogs.sh new file mode 100644 index 00000000000..71fc089df4d --- /dev/null +++ b/packages/tychon/elasticIntegration/kibanLogs.sh @@ -0,0 +1 @@ +journalctl -u kibana -f diff --git a/packages/tychon/elasticIntegration/startDocker.sh b/packages/tychon/elasticIntegration/startDocker.sh new file mode 100644 index 00000000000..3c4b5bae86b --- /dev/null +++ b/packages/tychon/elasticIntegration/startDocker.sh @@ -0,0 +1,14 @@ +#!/bin/sh +$(elastic-package stack shellinit) +cd ./tychon +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml up -d & +wait $! +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_es.yml up -d & +wait $! +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_kb.yml up -d & +wait $! +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_fl.yml up -d & +wait $! +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_ag.yml up -d & +wait $! +docker container ls diff --git a/packages/tychon/elasticIntegration/startElastic.sh b/packages/tychon/elasticIntegration/startElastic.sh new file mode 100644 index 00000000000..e911e8f5ef7 --- /dev/null +++ b/packages/tychon/elasticIntegration/startElastic.sh @@ -0,0 +1,10 @@ +#!/bin/sh +$(elastic-package stack shellinit) +cd ./tychon +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml up -d & +wait $! +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_es.yml up -d & +wait $! +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_kb.yml up -d & +wait $! +docker container ls diff --git a/packages/tychon/elasticIntegration/startFleet.sh b/packages/tychon/elasticIntegration/startFleet.sh new file mode 100644 index 00000000000..4aab2465530 --- /dev/null +++ b/packages/tychon/elasticIntegration/startFleet.sh @@ -0,0 +1,8 @@ +#!/bin/sh +$(elastic-package stack shellinit) +cd ./tychon +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_fl.yml up -d & +sleep 20 +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_ag.yml up -d & +wait $! +docker container ls diff --git a/packages/tychon/elasticIntegration/startRegistry.sh b/packages/tychon/elasticIntegration/startRegistry.sh new file mode 100644 index 00000000000..f84289005e8 --- /dev/null +++ b/packages/tychon/elasticIntegration/startRegistry.sh @@ -0,0 +1,6 @@ +#!/bin/sh +$(elastic-package stack shellinit) +cd ./tychon +docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml -p elastic-package-stack up -d & +wait $! +docker container ls diff --git a/packages/tychon/elasticIntegration/stopDocker.sh b/packages/tychon/elasticIntegration/stopDocker.sh new file mode 100644 index 00000000000..67c93bcd9ef --- /dev/null +++ b/packages/tychon/elasticIntegration/stopDocker.sh @@ -0,0 +1,6 @@ +#!/bin/sh +$(elastic-package stack shellinit) +cd ./tychon +docker ps -aq | xargs docker stop | xargs docker rm +wait $! +docker container ls diff --git a/packages/tychon/manifest.yml b/packages/tychon/manifest.yml index e6371aadc56..9acd3ebbc48 100644 --- a/packages/tychon/manifest.yml +++ b/packages/tychon/manifest.yml @@ -2,7 +2,7 @@ format_version: 2.0.0 name: tychon release: beta title: "TYCHON Agentless" -version: 0.0.54 +version: 0.0.55 source: license: "Elastic-2.0" description: TYCHON Agentless delivers STIG, CVE/IAVA, and Endpoint Protection status without adding new server infrastructure or services to your endpoints. TYCHON datasets fully comply with vulnerability and STIG reporting standards and integrate into Comply-to-Connect for instant zero trust value. From 896e08aa1e0b65666fe39f7967a4e91f14124360 Mon Sep 17 00:00:00 2001 From: Bruce Hodge Date: Fri, 6 Oct 2023 11:29:57 -0400 Subject: [PATCH 2/2] Added Failsafe processors to volume ingest pipeline --- packages/tychon/changelog.yml | 2 +- .../_dev/test/pipeline/test-harddrive.json | 134 +++++++++--------- .../pipeline/test-harddrive.json-config.yml | 1 - .../elasticsearch/ingest_pipeline/default.yml | 16 +++ packages/tychon/elasticIntegration/esLogs.sh | 1 - .../tychon/elasticIntegration/installPkg.sh | 18 --- .../tychon/elasticIntegration/kibanLogs.sh | 1 - .../tychon/elasticIntegration/startDocker.sh | 14 -- .../tychon/elasticIntegration/startElastic.sh | 10 -- .../tychon/elasticIntegration/startFleet.sh | 8 -- .../elasticIntegration/startRegistry.sh | 6 - .../tychon/elasticIntegration/stopDocker.sh | 6 - .../transform/volume/transform.yml | 7 +- ...e87c0-41ab-11ee-83e4-c92ed141b9e5-epp.json | 2 +- packages/tychon/manifest.yml | 2 +- 15 files changed, 92 insertions(+), 136 deletions(-) delete mode 100644 packages/tychon/elasticIntegration/esLogs.sh delete mode 100644 packages/tychon/elasticIntegration/installPkg.sh delete mode 100644 packages/tychon/elasticIntegration/kibanLogs.sh delete mode 100644 packages/tychon/elasticIntegration/startDocker.sh delete mode 100644 packages/tychon/elasticIntegration/startElastic.sh delete mode 100644 packages/tychon/elasticIntegration/startFleet.sh delete mode 100644 packages/tychon/elasticIntegration/startRegistry.sh delete mode 100644 packages/tychon/elasticIntegration/stopDocker.sh diff --git a/packages/tychon/changelog.yml b/packages/tychon/changelog.yml index 581aabf21dd..9c7d3d826ff 100644 --- a/packages/tychon/changelog.yml +++ b/packages/tychon/changelog.yml @@ -1,4 +1,4 @@ -- version: 0.0.55 +- version: 0.0.57 changes: - description: Fixed incorrect types in field.yml and cleaned up formatting type: enhancement diff --git a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json index 6e32362133a..c7ad1f82216 100644 --- a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json +++ b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json @@ -1,69 +1,69 @@ { - "events": [ - { - "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", - "host.os.name": "Microsoft Windows 10 Pro", - "disk.location.device": "0", - "disk.partition_style": "MBR", - "host.hardware.manufacturer": "VMware, Inc.", - "disk.serial_number": "", - "host.os.build": "19045", - "host.ip": [ - "10.1.9.51" - ], - "disk.boot_from": "true", - "host.hostname": "BOTANYBAYEP1", - "disk.adapter.serial_number": "", - "disk.location.adapter": "0", - "disk.system": "true", - "script.start": "2023-09-25T19:03:48Z", - "disk.size": "42949672960", - "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", - "host.os.organization": "", - "host.hardware.owner": "admin", - "disk.name": "VMware Virtual disk", - "host.workgroup": "WORKGROUP", - "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", - "host.ipv4": "10.1.9.51", - "host.oem.model": "", - "disk.is_boot": "true", - "host.hardware.bios.name": "Phoenix Technologies LTD", - "host.type": "Workstation", - "disk.model": "Virtual disk", - "disk.health_status": "Healthy", - "disk.number": "0", - "script.current_duration": "13711.00", - "disk.offline": "false", - "disk.location.bus": "3", - "disk.location.pci_slot": "160", - "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", - "host.mac": [ - "00:0C:29:93:6A:F3" - ], - "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", - "host.uptime": "614991.6714276", - "id": "ec85d3b7de5e9d8717b7799a134bd829beada75c", - "disk.location.function": "0", - "script.current_time": "2023-09-25T19:04:02Z", - "disk.bus_type": "SAS", - "disk.firmware_version": "2.0", - "disk.manufacturer": "VMware", - "disk.clustered": "false", - "script.name": "Get-TychonHardDriveInfo.ps1", - "script.version": "2.3.141.0", - "host.oem.manufacturer": "", - "host.os.description": "", - "host.os.version": "2009", - "disk.operational_status": "Online", - "disk.number_of_partitions": "3", - "host.ipv6": "", - "host.hardware.bios.version": "6.00", - "disk.id": "{1}\\\\BOTANYBAYEP1\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{c3aa4c8f-3a0e-11ed-91c8-806e6f6e6963}:DI:\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\"", - "disk.highly_available": "false", - "script.type": "powershell", - "host.domain": "", - "host.cloud.hosted": "false", - "host.os.family": "Windows" - } - ] + "events": [ + { + "tychon.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.os.name": "Microsoft Windows 10 Pro", + "disk.location.device": "0", + "disk.partition_style": "MBR", + "host.hardware.manufacturer": "VMware, Inc.", + "disk.serial_number": "", + "host.os.build": "19045", + "host.ip": [ + "10.1.9.51" + ], + "disk.boot_from": "true", + "host.hostname": "BOTANYBAYEP1", + "disk.adapter.serial_number": "", + "disk.location.adapter": "0", + "disk.system": "true", + "script.start": "2023-09-25T19:03:48Z", + "disk.size": "42949672960", + "host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7", + "host.os.organization": "", + "host.hardware.owner": "admin", + "disk.name": "VMware Virtual disk", + "host.workgroup": "WORKGROUP", + "host.hardware.serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3", + "host.ipv4": "10.1.9.51", + "host.oem.model": "", + "disk.is_boot": "true", + "host.hardware.bios.name": "Phoenix Technologies LTD", + "host.type": "Workstation", + "disk.model": "Virtual disk", + "disk.health_status": "Healthy", + "disk.number": "0", + "script.current_duration": "13711.00", + "disk.offline": "false", + "disk.location.bus": "3", + "disk.location.pci_slot": "160", + "host.biossn": "737C4D56-5714-9415-3B54-352BA8936AF3", + "host.mac": [ + "00:0C:29:93:6A:F3" + ], + "host.id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP", + "host.uptime": "614991.6714276", + "id": "ec85d3b7de5e9d8717b7799a134bd829beada75c", + "disk.location.function": "0", + "script.current_time": "2023-09-25T19:04:02Z", + "disk.bus_type": "SAS", + "disk.firmware_version": "2.0", + "disk.manufacturer": "VMware", + "disk.clustered": "false", + "script.name": "Get-TychonHardDriveInfo.ps1", + "script.version": "2.3.141.0", + "host.oem.manufacturer": "", + "host.os.description": "", + "host.os.version": "2009", + "disk.operational_status": "Online", + "disk.number_of_partitions": "3", + "host.ipv6": "", + "host.hardware.bios.version": "6.00", + "disk.id": "{1}\\\\BOTANYBAYEP1\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Disk.ObjectId=\"{c3aa4c8f-3a0e-11ed-91c8-806e6f6e6963}:DI:\\\\?\\scsi#disk\u0026ven_vmware\u0026prod_virtual_disk#5\u00261ec51bf7\u00260\u0026000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\"", + "disk.highly_available": "false", + "script.type": "powershell", + "host.domain": "", + "host.cloud.hosted": "false", + "host.os.family": "Windows" + } + ] } \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml index bec4f152d4a..302199c74f9 100644 --- a/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml +++ b/packages/tychon/data_stream/tychon_harddrive/_dev/test/pipeline/test-harddrive.json-config.yml @@ -1,4 +1,3 @@ dynamic_fields: "@timestamp": ".*" event.ingested: ".*" - \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml index 2a7a68d5816..6a281c93c67 100644 --- a/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_volume/elasticsearch/ingest_pipeline/default.yml @@ -44,6 +44,22 @@ processors: field: tempuptime ignore_failure: true ignore_missing: true + - set: + field: volume.block_size + value: 0 + if: ctx.volume.block_size == '' + - set: + field: volume.freespace + value: 0 + if: ctx.volume.freespace == '' + - set: + field: volume.percent_full + value: 100 + if: ctx.volume.percent_full == '' || ctx.volume.percent_full == 'NaN' + - set: + field: volume.size + value: 0 + if: ctx.volume.size == '' - convert: field: volume.block_size type: long diff --git a/packages/tychon/elasticIntegration/esLogs.sh b/packages/tychon/elasticIntegration/esLogs.sh deleted file mode 100644 index 2ded31d0567..00000000000 --- a/packages/tychon/elasticIntegration/esLogs.sh +++ /dev/null @@ -1 +0,0 @@ -journalctl -u elasticsearch -f diff --git a/packages/tychon/elasticIntegration/installPkg.sh b/packages/tychon/elasticIntegration/installPkg.sh deleted file mode 100644 index 0bc9215632b..00000000000 --- a/packages/tychon/elasticIntegration/installPkg.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -$(elastic-package stack shellinit) -cd ./tychon -elastic-package uninstall -elastic-package clean -if elastic-package check ;then - while read line; do - if [[ $line == "version:"* ]]; then - set -- $line - version=$2 - fi - done < manifest.yml - docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml down - cp /root/elasticIntegration/build/packages/tychon-$version.zip /root/.elastic-package/stack/development/ - docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml build - docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml up -d - elastic-package install -fi diff --git a/packages/tychon/elasticIntegration/kibanLogs.sh b/packages/tychon/elasticIntegration/kibanLogs.sh deleted file mode 100644 index 71fc089df4d..00000000000 --- a/packages/tychon/elasticIntegration/kibanLogs.sh +++ /dev/null @@ -1 +0,0 @@ -journalctl -u kibana -f diff --git a/packages/tychon/elasticIntegration/startDocker.sh b/packages/tychon/elasticIntegration/startDocker.sh deleted file mode 100644 index 3c4b5bae86b..00000000000 --- a/packages/tychon/elasticIntegration/startDocker.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -$(elastic-package stack shellinit) -cd ./tychon -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml up -d & -wait $! -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_es.yml up -d & -wait $! -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_kb.yml up -d & -wait $! -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_fl.yml up -d & -wait $! -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_ag.yml up -d & -wait $! -docker container ls diff --git a/packages/tychon/elasticIntegration/startElastic.sh b/packages/tychon/elasticIntegration/startElastic.sh deleted file mode 100644 index e911e8f5ef7..00000000000 --- a/packages/tychon/elasticIntegration/startElastic.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -$(elastic-package stack shellinit) -cd ./tychon -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml up -d & -wait $! -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_es.yml up -d & -wait $! -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_kb.yml up -d & -wait $! -docker container ls diff --git a/packages/tychon/elasticIntegration/startFleet.sh b/packages/tychon/elasticIntegration/startFleet.sh deleted file mode 100644 index 4aab2465530..00000000000 --- a/packages/tychon/elasticIntegration/startFleet.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -$(elastic-package stack shellinit) -cd ./tychon -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_fl.yml up -d & -sleep 20 -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_ag.yml up -d & -wait $! -docker container ls diff --git a/packages/tychon/elasticIntegration/startRegistry.sh b/packages/tychon/elasticIntegration/startRegistry.sh deleted file mode 100644 index f84289005e8..00000000000 --- a/packages/tychon/elasticIntegration/startRegistry.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -$(elastic-package stack shellinit) -cd ./tychon -docker-compose -f /root/.elastic-package/profiles/default/stack/snapshot_reg.yml -p elastic-package-stack up -d & -wait $! -docker container ls diff --git a/packages/tychon/elasticIntegration/stopDocker.sh b/packages/tychon/elasticIntegration/stopDocker.sh deleted file mode 100644 index 67c93bcd9ef..00000000000 --- a/packages/tychon/elasticIntegration/stopDocker.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -$(elastic-package stack shellinit) -cd ./tychon -docker ps -aq | xargs docker stop | xargs docker rm -wait $! -docker container ls diff --git a/packages/tychon/elasticsearch/transform/volume/transform.yml b/packages/tychon/elasticsearch/transform/volume/transform.yml index 4b91e6a6fb8..bb49ae41b36 100644 --- a/packages/tychon/elasticsearch/transform/volume/transform.yml +++ b/packages/tychon/elasticsearch/transform/volume/transform.yml @@ -1,6 +1,11 @@ source: index: - logs-tychon.tychon_volume-* + query: + bool: + must: + - match_phrase: + event.kind: "state" dest: index: tychon_volume frequency: 30m @@ -13,7 +18,7 @@ latest: - id sort: '@timestamp' _meta: - fleet_transform_version: 1.0.3 + fleet_transform_version: 1.0.4 run_as_kibana_system: false managed: true description: This transformation ensures there is a running configuration of what volumes are currently on a device from TYCHON. diff --git a/packages/tychon/kibana/dashboard/tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp.json b/packages/tychon/kibana/dashboard/tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp.json index 7c65218eeef..ac948619cd8 100644 --- a/packages/tychon/kibana/dashboard/tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp.json +++ b/packages/tychon/kibana/dashboard/tychon-b85e87c0-41ab-11ee-83e4-c92ed141b9e5-epp.json @@ -4,7 +4,7 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"a9a1905e-d884-49b1-9f30-bae69dd0f668\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"id\":\"a9a1905e-d884-49b1-9f30-bae69dd0f668\",\"selectedOptions\":[\"BotanyBayEP1\"],\"existsSelected\":false,\"hideExists\":true,\"hideExclude\":true,\"singleSelect\":true,\"enhancements\":{}}}}" + "panelsJSON": "{\"a9a1905e-d884-49b1-9f30-bae69dd0f668\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.hostname\",\"title\":\"Hostname\",\"id\":\"a9a1905e-d884-49b1-9f30-bae69dd0f668\",\"existsSelected\":false,\"hideExists\":true,\"hideExclude\":true,\"singleSelect\":true,\"enhancements\":{}}}}" }, "description": "The \"TYCHON Endpoint Browser\" dashboard provides host visualization data for a single endpoint at a time. The dashboard is a set of several individual views broken down by tabs near the top of the screen. The TYCHON Endpoint Browser – Endpoint Protection view displays the status of your AV vendors and virtualization protection mechanisms, whether they are enabled, and if they are up to date.", "kibanaSavedObjectMeta": { diff --git a/packages/tychon/manifest.yml b/packages/tychon/manifest.yml index 9acd3ebbc48..447be463b4c 100644 --- a/packages/tychon/manifest.yml +++ b/packages/tychon/manifest.yml @@ -2,7 +2,7 @@ format_version: 2.0.0 name: tychon release: beta title: "TYCHON Agentless" -version: 0.0.55 +version: 0.0.57 source: license: "Elastic-2.0" description: TYCHON Agentless delivers STIG, CVE/IAVA, and Endpoint Protection status without adding new server infrastructure or services to your endpoints. TYCHON datasets fully comply with vulnerability and STIG reporting standards and integrate into Comply-to-Connect for instant zero trust value.