wazuh 4.2.2 compatibility with splunk 8.2.2

[MauGaP]

In order to verify the quality of the new release we need to execute the following tasks:

• [x] execution of general checks on the following environments: -- Safari - Splunk 8.2.2 - Wazuh 4.2.2 -- Chrome - Splunk 8.2.2 - Wazuh 4.2.2 -- Firefox - Splunk 8.2.2 - Wazuh 4.2.2 -- Firefox - Splunk 8.1.4 - Wazuh 4.2.2 -- Chrome - Splunk 8.1.4 - Wazuh 4.2.2

• [x] execution of test cases for the implemented changes: -- Added --- Added MITRE ATT&CK Framework integration #1083 --- Added MITRE ATT&CK Dashboard integration #1076 --- Support for Splunk v8.1.4 -- Fixed --- Cannot pin search filters on Edge - Chip style collapses #1070 --- Tables without server side pagination #1074 --- Fixed gear icon in fim table #1077 --- Added cache control #1078 --- Fixed error where tables unset their loading state before finishing API calls #1084 --- Fixed search bar queries with spaces #1083 --- Fixed pinned fields ending with curly brackets #1083 --- Fixed issues for Splunk Cloud compatibility #1099

• [x] creation of new test cases if necessary

• [x] creation of test cases for mitre new panel on dashboards

• [x] stress test with 1500 alerts displayed at once

[frankeros]

Bug

RC	Splunk	Severity
1	8.2.2	Stopper

Description

Opening the Quick settings modal does not work.

This happen after include JQuery as param in wz-table-directive.js and wz-table-server-side-directive.js to upgrade JQuery to 3.5.0

Note

Removing this param from the such files the modal opens properly, but the jQuery version is downgraded to 2.1.0

[CPAlejandro]

Current feedback

I have found this bugs:

• Generating a report, the titles show this X

• When you haven't enough resolution, you are missing information

Despite the fact of these bugs, I continue doing the testing for Wazuh 4.2.2, Splunk 8.2.2 and Firefex as navegator.

[mpRegalado]

Completed tests on chrome browser

Overview

• [x] overview:stats:agents_count
• [x] overview:panels:show
• [x] overview:panels:show_hide_module
• [x] overview:panels:go_module

Overview - Security events

• [x] overview:security:dasboard:show
• [x] overview:security:dasboard:show_stats
• [x] overview:security:dashboards:visualization:action:expand
• [x] overview:security:generate_report

Overview - Integrity monitoring

• [x] overview:im:dasboard:show
• [x] overview:im:generate_report
• [x] overview:im:go_discover

Overview - Amazon AWS

• [x] overview:aws:dasboard:show
• [x] overview:aws:generate_report
• [x] overview:im:go_discover

Managment - Ruleset

• [x] Management / Ruleset / Rules / edit file
• [x] Management / Ruleset / Rules / Manage
• [x] Management / Ruleset / Rules
• [x] Managment - Groups
• [x] Management / Groups / Pdf reporting
• [x] Management / Groups / Edit Group / Agents

Managment - Configuration

• [x] Main Configuration
• [x] Alerts and output management
• [x] Auditing and policy monitoring
• [x] System threats and incident response
• [x] Log data analysis
• [x] Cloud security monitoring
• [x] Global configuration
• [x] Settings
• [x] Logs
• [ ] Api

On narrow viewports, when the manager name is long and does not contain spaces or -, the lack of line breaks causes it to overflow onto the next element

• [x] Configuration
• [x] About

Managment - Status

• [x] Managment / Status / Restart cluster
• [x] Managment / Status / Overview

Managment - Logs

• [x] Managment / Logs / Play real time
• [x] Managment / Logs / Search
• [x] Managment / Logs / Export
• [x] Managment / Logs / Filters

Managment - Reporting

• [x] Managment / Reporting / Reporting table
• [x] Managment / Reporting / Download report
• [x] Managment / Reporting / Delete report

Agent section - Integrity Monitoring

• [ ] agent_section:im:files:table:list

When the viewport width is narrow enough, the gear icon overlaps with the columns

• [x] agent_section:im:files:table:pagination
• [x] agent_section:im:files:table:sort
• [x] agent_section:im:files:table:search
• [x] agent_section:im:files:table:export
• [x] agent_section:im:files:table:actions:show_hide_columns
• [x] agent_section:im:actions:toggle_alerts_files
• [ ] agent_section:im:dashboards:show

No results are shown in the dashboard, it needs further investigating to rule out issues with the test environment itself. Only noticed the issue in a Ubuntu agent, while a windows agent seems to show alerts correctly

• [x] agent_section:im:dashboards:visualization:action:expand
• [x] agent_section:im:generate_report

[mpRegalado]

Completed tests on chrome browser

Managment - Cluster

• [x] Managment / Cluster
• [x] Managment / Cluster / Overview
• [x] Managment / Cluster / Information / Agents
• [x] Managment / Cluster / Information / Nodes

Agents

• [x] agents:table:list
• [x] agents:table:filter
• [x] agents:table:refresh (adding new agent)
• [x] agents:table:sort
• [x] agents:table:export
• [x] agents:table:actions:open_agent_discover
• [x] agents:table:actions:open_agent_configuration
• [x] agents:table:actions:show_hide_column
• [x] agents:table:actions:row_on_click
• [x] agents::visualization
• [x] agents:stats:most_active_agent
• [x] agents:stats:most_active_agent_on_click
• [x] agents:stats:last_registered_agent
• [x] agents:stats:last_registered_agent_on_click
• [x] agents:add_new:open
• [x] agents:add_new:close
• [x] agents:add_new:os_select
• [x] agents:add_new:server_ip
• [x] agents:add_new:deploy_command
• [x] agents:add_new:deplou_command_copy

Agent Details

• [x] agent_detail:info:status
• [x] agent_detail:info:basic (header)
• [x] agent_detail:info:groups
• [x] agent_detail:panels:show_hide_module
• [x] agent_detail:panels:go_section
• [x] agent_detail:panels:modules
• [ ] agent_detail:actions:discover

  No data for ubuntu agent, error in console "common.js:489 GET http://localhost:8000/en-US/splunkd/__raw/servicesNS/admin/search/data/ui/prefs/search?output_mode=json&_=1631866135930 404 (Not Found)"

• [x] agent_detail:actions:restart_agent

Agent section - Integrity Monitoring

• [ ] agent_section:im:files:table:list

When the viewport is narrow enough for the buttons in the visualizations to overlap the timestamp, the heights of all visualizations no longer match

Agent section - Security events

• [x] agent_section:security:dasboard:show
• [x] agent_section:security:dasboard:show_stats
• [x] agent_section:im:dashboards:visualization:action:expand

Agent section - Security events

• [x] agent_section:security:dasboard:show
• [x] agent_section:security:dasboard:show_stats
• [x] agent_section:im:dashboards:visualization:action:expand

Agent section - Inventory data

• [x] agent_section:inventory:info:processes:table:last_scan
• [x] agent_section:inventory:info:packages:table:last_scan
• [x] agent_section:inventory:info:packages:table:export
• [x] agent_section:inventory:actions:generate_report

Agent section - Configuration

Documentations link in this section lead to documentation of version 2.1 or to 404 errors

• [x] Generate PDF
• [x] Configuration / Main configuration sections
• [x] Configuration / System threats and incident response sections
• [ ] Refreshing from within a subsection Refreshing the page leads back to the configuration page rather than the subsection
• [x] Upon entering log collection
• [x] Upon entering entegrity monitoring

Agent section - Policy monitoring

• [x] agent_section:pm:dashboard:visualizations:show
• [x] agent_section:pm:dashboard:visualizations:expand
• [x] agent_section:pm:action:run_scan
• [x] agent_section:pm:action:generate_report
• [x] agent_section:pm:action:go_discover

Agent section - SCA

• [ ] agent_section:sca:visualizations

  There is an odd behaviour with the visualization on different widths getting too small where there is plenty of space

• [ ] agent_section:sca:policies:table:list

  The status icon dot does not align vertically in its row

• [x] agent_section:sca:action:go_discover
• [x] agent_section:sca:action:wait_reporting_information
• [x] agent_section:sca:action:open_policy_detail
• [x] agent_section:sca:action:close_policy_detail
• [x] agent_section:sca:policy_detail:results_checks
• [x] agent_section:sca:policy_detail:table:list
• [x] agent_section:sca:policy_detail:table:search
• [x] agent_section:sca:policy_detail:table:pagination
• [x] agent_section:sca:policy_detail:table:sort
• [x] agent_section:sca:policy_detail:table:expand_row_info

Agent section - System auditing

• [x] agent_section:audit:dasboard:show
• [x] agent_section:audit:stats:show
• [x] agent_section:pm:action:generate_report
• [ ] agent_section:sca:action:go_discover

  Error common.js:489 GET http://localhost:8000/en-US/splunkd/__raw/servicesNS/admin/search/data/ui/prefs/search?output_mode=json&_=1631874697680 404 (Not Found) upon entering

Agent section - CIS-CAT

• [x] agent_section:ciscat:dashboard:show
• [x] agent_section:ciscat:stats:show
• [x] agent_section:ciscat:action:generate_report
• [ ] agent_section:ciscat:action:go_discover

  Error common.js:489 GET http://localhost:8000/en-US/splunkd/__raw/servicesNS/admin/search/data/ui/prefs/search?output_mode=json&_=1631874697680 404 (Not Found) upon entering

Agent section - Vulnerabilities

• [x] agent_section:virustotal:dashboard:show
• [x] agent_section:ciscat:stats:show
• [x] agent_section:virustotal:action:generate_report
• [ ] agent_section:virustotal:action:go_discover

  Error common.js:489 GET http://localhost:8000/en-US/splunkd/__raw/servicesNS/admin/search/data/ui/prefs/search?output_mode=json&_=1631874697680 404 (Not Found) upon entering

Agent section - Virustotal

• [x] agent_section:virustotal:dashboard:show

• [ ] agent_section:virustotal:stats:show

  Stat bar shows but instead of displaying zeroes it does not show anything

• [x] agent_section:virustotal:action:generate_report

• [ ] agent_section:virustotal:action:go_discover

  Error common.js:489 GET http://localhost:8000/en-US/splunkd/__raw/servicesNS/admin/search/data/ui/prefs/search?output_mode=json&_=1631874697680 404 (Not Found) upon entering

Agent section - Osquery

• [x] Visualizations
• [x] Generate a Report
• [ ] Redirect to Discover

  Error common.js:489 GET http://localhost:8000/en-US/splunkd/__raw/servicesNS/admin/search/data/ui/prefs/search?output_mode=json&_=1631874697680 404 (Not Found) upon entering

Agent section - PCI DSS

• [ ] Requeriments

  Filter for the selected agent does not automatically apply

• [x] Visualizations

Agent section - GDPR

• [x] Requeriments
• [x] Visualizations
• [x] Just entering

Discover

Error common.js:489 GET http://localhost:8000/en-US/splunkd/__raw/servicesNS/admin/search/data/ui/prefs/search?output_mode=json&_=1631874697680 404 (Not Found) upon entering

• [x] Switch between Fast/Smart/Verbose Mode
• [ ] Statics or Visualization -> Pivot There is a blank space between the menu and the content

• [x] Statics or Visualization -> Quick Report
• [x] Statics or Visualization -> Search Commands
• [x] Job -> Inspect Job
• [x] Job -> Edit Job Setting
• [x] Job -> Delete Job
• [x] Create table view

[mpRegalado]

I could no longer replicate the issues with Discover on console

[MauGaP]

We finished executing the regression and the issues found have been added to the backlog.