wazuh-dashboard-plugins icon indicating copy to clipboard operation
wazuh-dashboard-plugins copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Amazon AWS dashboard not showing information in some graphs

Open Selutario opened this issue 2 years ago • 4 comments

Wazuh Elastic Rev Security
4.3 7.10.2 4301-1 ODFE
Browser
Chrome, Firefox, Safari, etc

Description The AWS module shows "No results found" for both the Accounts and Regions sections. I'm not sure if this is a bug because Cloudtrail is the only integration I enabled in this case.

Preconditions N/A

Steps to reproduce

  1. Enable the Cloudtrail integration in Wazuh (instructions).
  2. Go to the Amazon AWS module in the Wazuh APP.

Expected Result All graphs inside the module should show any information.

Actual Result All graphs show information, except for Regions and Accounts which say: No results found Screenshots image

Additional context The alerts that were generated do contain fields for Regions and Accounts but then they are not displayed on the dashboard. image

Selutario avatar Mar 31 '22 09:03 Selutario

Hi Team,

Any updates on timeline for the fix of this issue ?

It would be great to have this issue fixed because the dashboards currently are not able display AWS Account IDs from cloudTrail logs. Even with logs from many different aws account IDs, the accounts as well as regions spaces in the AWS Dashboards remain empty.

It would be really great if this is fixed at the earliest. Looking forward to it. Thanks.

mandeeps13k avatar Jun 21 '22 13:06 mandeeps13k

Related issues

  • #2004
  • #2260
  • https://github.com/wazuh/wazuh/pull/4459

gdiazlo avatar Aug 05 '22 13:08 gdiazlo

We tested the PR https://github.com/wazuh/wazuh/pull/4459 and confirmed that adding these mappings results in a transformation of fields from aws.awsRegion to aws.region, so the Dashboards are rendering the results properly now.

In order to test this, we configured the AWS module, as defined in the step nr.1 of this issue, and then, appending AWS logs to the alerts.json file.

image

image

  • [x] We need to test if this continues to work in a fresh environment, as we used the [Elastic API]

(https://www.elastic.co/guide/en/elasticsearch/reference/7.10/set-processor.html) to update the ingest pipelines with the new mappings.

For this, we need to build a development environment using this Wazuh branch: 3.11-update-filebeat-module, which is linked in the PR listed above.

AlexRuiz7 avatar Sep 22 '22 15:09 AlexRuiz7

Task: test in a fresh environment

Tested PR https://github.com/wazuh/wazuh/pull/4459 in a fresh environment. Selection_043 Selection_042

Machi3mfl avatar Sep 23 '22 18:09 Machi3mfl