Reporting revamp

[havidarou]

Description

Wazuh has multiple reporting systems depending on the source of the information:

• Wazuh manager API.
• Wazuh indexer API.

This issue aims to unify all Wazuh reporting capabilities. Our initial approach will be to leverage the OpenSearch reporting and notifications plugins.

Wazuh status and metrics

We want to generate reports about servers and indexers. These reports will include statistics about the workload of Wazuh over time, the availability of the services and modules, etc.

These reports should help users manage the system's health, plan the system's capacity, and analyze the system's performance.

Security threats

We want to generate reports about the environment's security threats and posture. This should include at least:

• SCA.
• File integrity monitoring.
• Inventory.
• Threat intelligence.
• Compliance and audit.
• Vulnerability detection.

Custom reports

Users will be able to create personalized reports based on any information available in the indexer.

Functional requirements

• All Wazuh XDR/SIEM output spawns from the Wazuh indexer.
• Reports are generated in PDF.
• Reports can be sent via email at scheduled intervals.
• Reports can be downloaded on demand.
• A user can list all available reports from one place, depending on the Wazuh indexer RBAC permissions.
• A user can create/edit/delete custom reports from one place, depending on the Wazuh indexer RBAC permissions.
• Threat detection and posture status will be regularly sent to users via email based on Wazuh dashboard initial startup configuration.

Non-functional requirements

• The reporting system must ease container deployment scenarios.

Implementation restrictions

• Use the existing OpenSearch reporting and notifications plugins as much as possible.

Plan

Spike

• Research OpenSearch reporting and notifications plugins to fulfill requirements

  • https://github.com/wazuh/wazuh-dashboard/issues/194
  • Owner: @wazuh/devel-dashboard
  • Teams involved: @wazuh/devel-dashboard

• Research OpenSearch observability plugin to asses its usefulness in Engine and Agent comms API metrics ingestion.

  • https://github.com/wazuh/wazuh-dashboard/issues/195
  • Owner: @wazuh/devel-dashboard
  • Teams involved: @wazuh/devel-dashboard @wazuh/devel-cppserver @wazuh/devel-pyserver

• Engine metrics ingestion

  • https://github.com/wazuh/wazuh/issues/24322
  • Owner: @wazuh/devel-cppserver
  • Teams involved: @wazuh/devel-cppserver

• Agent comms API metrics ingestion

  • https://github.com/wazuh/wazuh/issues/24163
  • Owner: @wazuh/devel-pyserver
  • Teams involved: @wazuh/devel-pyserver

MVP ETA 09/26/2024

• [ ] https://github.com/wazuh/wazuh-dashboard/issues/288
  • Owner: @wazuh/devel-dashboard
  • Teams involved: @wazuh/devel-dashboard @wazuh/devel-indexer

Checkpoint

• [ ] https://github.com/wazuh/wazuh-dashboard/issues/315
• MVP validation.

Feature complete

• [ ] #339

  • Owner: @wazuh/devel-dashboard
  • Teams involved: @wazuh/devel-dashboard

• [ ] https://github.com/wazuh/wazuh-dashboard/issues/287

  • Owner: @wazuh/devel-dashboard
  • Teams involved: @wazuh/devel-dashboard @wazuh/devel-indexer

• All reports can be sent via email at scheduled intervals.

  • Owner: @wazuh/devel-dashboard
  • Teams involved: @wazuh/devel-dashboard @wazuh/devel-indexer

• https://github.com/wazuh/wazuh/issues/24542

  • Owner: @wazuh/devel-cppserver
  • Teams involved: @wazuh/devel-cppserver

• https://github.com/wazuh/wazuh/issues/24695

  • Owner: @wazuh/devel-pyserver
  • Teams involved: @wazuh/devel-pyserver

Acceptance test