Visualize - include CDB Lists

59 views
Skip to first unread message

German DiCasas

unread,
Jul 4, 2024, 11:59:52 AM7/4/24
to Wazuh | Mailing List
Hi team,

I just Upgrated to 4.8,  all good for now I. want to know how include CDB List on visualize. I mean, I want do a custom filter with the CDB List. OR better doit on Bucket. It is possbile?

For example, I wan filter on visualize data.win.eventdata.targetUserName by a CDB list, how can I do that?

I hope it can be posible...

For now I did it a OpenSearch Query DSL like this below , works but is not what I want.. I need use CDB. 


  "query": {
    "bool": {
      "minimum_should_match": 1,
      "should": [
        {
          "match_phrase": {
            "data.win.eventdata.targetUserName": "Administrador"
          }
        },
.
.
.
.etc

Regards

German

Md. Nazmur Sakib

unread,
Jul 5, 2024, 7:15:55 AM7/5/24
to Wazuh | Mailing List

Hi German,



The CDB list is not useable in DSL queries or filtering the alert events Dashboard.CDB list can only be used in the rules of Wazuh.

Ref: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html



You can use a query like this in DSL for a multiple-value list



{

  "query": {

    "bool": {

      "should": [

        {

          "match_phrase": {

            "data.win.eventdata.targetUserName": "Administrador"

          }

        },

        {

          "match_phrase": {

            "data.win.eventdata.targetUserName": "server"

          }

        },

        {

          "match_phrase": {

            "data.win.eventdata.targetUserName": "admin"

          }

        }

      ],

      "minimum_should_match": 1

    }

  }

}




Ref: https://opensearch.org/docs/latest/query-dsl/


I  hope you find this information helpful. Let me know if you need any further information on this.

German DiCasas

unread,
Jul 5, 2024, 12:28:09 PM7/5/24
to Wazuh | Mailing List
Too clear Nazmur, i will not mix CDB with DSL. What about Advance Section over Buckets? I mean, How can I  know the structure of JSON input that it is needed there?

For example, over new wazuh 4.8. A visualization over Vulnerabilities. I have a Pie visualization with agent.name and data.vulnerability.satatus: Active.  How can I use that  advance section to filter with Json input. I do not know what use have that or how to use it too. Can you guide me to know what I can do there and how to use it?

Regards,

German

Md. Nazmur Sakib

unread,
Jul 8, 2024, 5:27:33 AM7/8/24
to Wazuh | Mailing List

I believe you are asking about this advance section.


The JSON input is not meant for filtering purposes. When a single aggregation has parameters that we don't have a UI for, you can extend just the one aggregation's JSON block.

This is a feature from OpenSearch.

Chcek the document to learn more.

https://opensearch.org/docs/2.7/aggregations/

https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-percentile-aggregation.html



For filtering you can use DSL like this.




{

  "query": {

    "bool": {

      "should": [

        {

          "match_phrase": {

            "agent.name": "win10_sakib"

          }

        },

        {

          "match_phrase": {

            "data.vulnerability.status": "Active"

          }

        }

      ],

      "minimum_should_match": 2

    }

  }

}


Ref: https://opensearch.org/docs/latest/query-dsl/


Let me know if you need any further information on this.

Reply all
Reply to author
Forward
0 new messages