Spike - OpenSearch reporting and notifications assessment

[asteriscos]

Description

We want to identify which of the following functional requirements can be achieved using the OpenSearch Reporting and Notifications plugins. This will allow us to determine the features that will have to be developed in the wazuh-dashboard-plugins repository and how to use the existing features of the mentioned plugins.

• Notifications plugin documentation
• Reporting plugin documentation

Functional Requirements

• Generate PDF reports: The user must be able to generate PDF reports of existing dashboards. This can be achieved by using the OpenSearch reporting plugin.
• Schedule reports: The user must be able to schedule reports within a certain time interval. This can be achieved by using the OpenSearch reporting plugin.
• Send reports by e-mail: The user must be able to receive the scheduled reports by e-mail. Evaluate if we can create a plugin that integrates reports generated in the OpenSearch reporting plugin with the OpenSearch notifications plugin.
• Download reports on demand: The user must be able to download an existing report whenever needed. This can be achieved by using the OpenSearch reporting plugin.
• CRUD reports from one place: Depending on the Wazuh indexer RBAC permissions, the user should be able to manage existing reports and create new ones in one place. This can be achieved by using the OpenSearch reporting plugin.
• Initial threat detection and posture status: Threat detection and posture status will be regularly sent to users via email based on Wazuh dashboard initial startup configuration.

Implementation Restrictions

• Use OpenSearch features: Ensure we use as many native features as possible to achieve the requirements.
• Pre-configured reports: We must be able to pre-configure a set of reports in the initial setup of the application.
• Stateless reports: The generated reports should be stateless to make the docker deployment easier.
• Custom SMTP server: The user must be able to configure its own SMTP server.

Plan

• Analysis
  • [x] Prepare the dev environment to have the reporting and notifications plugins https://quay.io/repository/wazuh/osd-dev?tab=tags 2.14.0.reporting
  • [ ] Analyse if the reporting and notifications plugins provides an API to be used from the dashboard
  • [ ] Identify RBAC permissions to restrict reporting operations
  • [ ] Find a way to generate predefined reports on the initial Wazuh dashboard setup
  • [ ] Find a way to generate predefined dashboards on the initial Wazuh dashboard setup
  • [ ] Analyze if the OpenSearch notifications plugin provides an interface so we can integrate it with the OpenSearch reporting plugin
  • [ ] Analyze if the current Wazuh dashboard's visualizations are compatible with the native features.
  • [ ] Analyze if all the desired visualizations are compatible with the reporting system.
• PoC
  • [ ] Create a new report alerts plugin that integrates report definitions with the notifications plugin capabilities
  • [ ] Create tests dashboards with mocked data as saved objects so they can be referenced in the reporting plugin

[yenienserrano]

I was reading the documentation of both plugins and looking for information if they have something to integrate both plugins. From what I could see, they were going to work on an integration that was going to be in 2.0.0 but apparently it didn't arrive and they don't give much information about when this integration is going to be in 2.0.0.

https://github.com/opensearch-project/reporting/issues/72

On the other hand I saw that you haveopensearch-reporting-cli which can be used for sending reports to mail but we would need our dashboards to be added as saved object of dashboards, because you need the id of the visualization.

https://opensearch.org/docs/latest/reporting/rep-cli-create/

And create a development image with the plugins and upload it to quay, to see the capabilities that both plugins provide.

[yenienserrano]

A new branch is created with a new plugin to test and see what can be used of the notification and reporting plugins.

https://github.com/wazuh/wazuh-dashboard-plugins/tree/enhancement/194-spike-reporting-and-notification-plugins

[yenienserrano]

From what I've found out, it seems that they don't have methods to generate reports or send notifications from other plugins.

While testing the applications I saw that the Dashboard application has a button to generate reports using the report plugin. But when I looked into how they were adding the button to generate the reports I couldn't find it in the visualization plugin. As far as I can see it is being added by the reporting plugin depending on which application it is in according to the breadcrumb and the buttons added to the top left.

https://github.com/opensearch-project/dashboards-reporting/blob/2.15.0.0/public/components/context_menu/context_menu.js#L264-L316

[jbiset]

Update 2024-06-27

Research about Notifications plugin

To understand the Notifications plugin, it was configured on the platform by configuring a Channel with an SMTP sender through the Resend service, following the OSD guide. Something to keep in mind is that you have to use commands that are not in the UI to load the sender's SMTP service credentials. Analyzing the functionalities provided by the Notifications plugin, it is likely that the Create Monitor functionality in Alerting (image below) can be used for everything in the schedule; However, it does not solve the problem as to how to generate the report. It will continue to be analyzed at the code level to evaluate if what was mentioned above can be taken advantage of.

[jbiset]

Update 2024-06-28

• Code from the creation by definition of the Reporting plugin is analyzed
• The possibility of creating reports through Notebooks is analyzed (Documentation)
• Research is being carried out on the Notebooks plugin, currently implicit in the Observability plugin. Related with Issue 195

[yenienserrano]

Update 2024-06-28

• Analysing the plugins in more detail
• Analysing the opensearch-reporting-cli
• Testing opensearch-reporting-cli