Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Updater #256

Open
f-galland opened this issue Jan 29, 2025 · 0 comments
Open

Content Updater #256

f-galland opened this issue Jan 29, 2025 · 0 comments
Labels
level/task Task issue type/enhancement Enhancement issue

Comments

@f-galland
Copy link
Member

f-galland commented Jan 29, 2025
edited by AlexRuiz7
Loading

Description

A context is outdated when its offset and last_offset are different. For example, in the case below.

[
  {
    "_index": "wazuh-content",
    "_id": "vd_1.0.0",
    "_source": {
      "vd_4.8.0": {
        "offset": 75019,
        "last_offset": 85729
      }
    }
  },
]

In this case, the Content Manager downloads the changes in chunks. The total number of chunks to be fetched can be expressed as chunks = (last_offset - offset) / MAX_SIZE, where MAX_SIZE=1000. This is the upper limit of changes the CTI API returns in a single request. Following the example, the Content Manager would download 10 chunks of 1000 changes and 1 chunk of 710 changes, for a total of 11 requests to the CTI API and 10710 changes, that need to be processed and indexed.

The Content Updater module uses the CTI client module to fetch the changes. It then processes the data and transforms it into CUD (create, update, delete) operations to the appropriate index, using the Index Management module. When the update is complete, it generates a command for the Command Manager, using the client. The Content Updater is the orchestrator of the update process, delegating the fetching and indexing operations to other modules.

---
title: Content Manager - Content update
---
sequenceDiagram
    ContentUpdater->>IndexClient: getContextInformation()
    IndexClient-)ContentUpdater: contextInfo
    loop while last_offset > offset
        ContentUpdater->>CTIclient: getContextChanges()
        CTIclient-)ContentUpdater: changes
        ContentUpdater-->>IndexPatcher: changes
    end
    ContentUpdater-->>CommandManagerClient: postCommand()
Loading

Functional requirements

  • The Content Updater checks if any context needs and update.
  • The Content Updater updates a context up to the last offset.
  • The Content Updater generates a command on a successful context update.

Implementation restrictions

  • The Content Updater module relies on other modules for most of the operations: CTIClient, CommandManagerClient, IndexPatcher, ...
  • During a context update, its offset value is updated on each iteration. When the update ends, offset must be equal to last_offset.

Plan

  • Read contexts metadata from the internal index. Filter by offset != last_offset.
  • Orchestrate the context update process.
  • Generate a command on a succesful update.
@f-galland f-galland mentioned this issue Jan 29, 2025
Open
@f-galland f-galland added level/subtask Subtask issue type/enhancement Enhancement issue labels Jan 29, 2025
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 5.0.0 Jan 30, 2025
@AlexRuiz7 AlexRuiz7 changed the title Add context offset update funcionality to the Content Manager plugin Context update from CTI consumer's changes Jan 30, 2025
@AlexRuiz7 AlexRuiz7 added level/task Task issue and removed level/subtask Subtask issue labels Jan 31, 2025
@AlexRuiz7 AlexRuiz7 changed the title Context update from CTI consumer's changes Content Updater Jan 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
level/task Task issue type/enhancement Enhancement issue
Projects
XDR+SIEM/Release 5.0.0
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlexRuiz7 @f-galland