Version: 5.3

Integration with Job Scheduler

General Information

The Smart EDR integration with the job scheduler works such that the script run_edr_task.py, using an active action in a task on the EDR host, executes tasks and distributes them to agents on the BI.ZONE host.

warning

Before starting the integration of Smart EDR with the job scheduler, ensure that script deployment has been performed.

Creating and Configuring a Task

To create a scheduled job in the Job Scheduler component, go to Navigation Menu - Job Scheduler - Jobs List - Create.

Configuring the Main Section

After creating the task, in the Main section, in the Search Query field, specify the query for searching fields and their values in the bizone-irp-alerts-* index.

Example search query in a task:

Example search query in a task

source bizone-irp-alerts-*
| search dev_os_type="linux" 
| table alert_name, dev_id, proc_p_file_path, proc_id
| eval reg_path = proc_p_file_path
| eval pid = proc_id

warning

For convenience, in the example query, using the eval command, values from existing fields are written to new fields reg_path and pid, whose names match the fields in the parameters column in the task from the lookup dim_bizone_task. Later, the values of these fields will be passed to active actions.

Information on configuring other fields and blocks can be found in the corresponding article on creating notifications.

Configuring the Active Actions Section

To create an active action with script execution, go to the Active Actions section - Add - Run Script - Add.

Now, in the Script Path field, specify the interpreter, path to the script, and arguments and their values.

Example script call:

Example

Full example of the specified script call

python3 /app/opensearch/utils/scripts/jobscheduler-action/run_edr_task.py --dev-id {{_source.dev_id}} --param-names reg_path pid --param-values {{_source.reg_path}} {{_source.pid}} --tasks '[BZ] [Win] Remove registry key/value' '[BZ] [Win] Kill process by PID' '[BZ] [Win] Update group policies'

When calling the script, the following arguments are specified:

--dev-id - dev_id parameter, which is passed from the SML query. The value is always written as {{_source.dev_id}}
--param-names - parameter names (or a single parameter) that have the same names (can be in lowercase) as in the SML query result and in the parameters column in the task from the lookup dim_bizone_task, which the script will replace with values from the param-values parameters. In the example script call, the parameter name pid is specified, which corresponds to the field that needs to be replaced in the specified task from the lookup:
--param-values - values (or a single value) to be substituted in the parameters field in the task instead of the original value, e.g., {{PID}}. Specified, for example, as {{_source.pid}}. Passed from the SML query.
--tasks - task names from the EDR lookup

warning

The arguments --dev-id and --tasks are mandatory, while --param-names and --param-values can be omitted if the task does not require replacing a field in the parameters column in the task from the lookup dim_bizone_task.

Configuring the Node

For the run_edr_task.py script to work, parameters are needed, which are taken from the configuration file (config.json) and keystore.

Adding Parameters to the Configuration File

The following is taken from the configuration file located in the /app/opensearch/utils/scripts/jobscheduler-action directory:

lookup_edr - name of the lookup in EDR from which BI.ZONE tasks are taken.

This parameter is set in the config.json file:

{
    "edr": {
        "lookup_edr": "dim_bizone_task"
    }
}

Adding Parameters to Keystore

The following parameters are taken from keystore:

api_edr_token - API token for interacting with BI.ZONE.
bizone_host - IP address of the BI.ZONE host.
bizone_port - port of the BI.ZONE host.
edr_host - IP address of the EDR host.
edr_port - port of the EDR host.
edr_name - username on the EDR host.
edr_pswd - password for the EDR host.

To add them to keystore, use the following commands:

sudo -u opensearch ${OS_HOME}/bin/opensearch-keystore add jobscheduler.script.pass.api_edr_token
sudo -u opensearch ${OS_HOME}/bin/opensearch-keystore add jobscheduler.script.pass.bizone_host
sudo -u opensearch ${OS_HOME}/bin/opensearch-keystore add jobscheduler.script.pass.bizone_port
sudo -u opensearch ${OS_HOME}/bin/opensearch-keystore add jobscheduler.script.pass.edr_host
sudo -u opensearch ${OS_HOME}/bin/opensearch-keystore add jobscheduler.script.pass.edr_name
sudo -u opensearch ${OS_HOME}/bin/opensearch-keystore add jobscheduler.script.pass.edr_port
sudo -u opensearch ${OS_HOME}/bin/opensearch-keystore add jobscheduler.script.pass.edr_pswd

After adding parameters to keystore, verify their presence with the command:

sudo -u opensearch /app/opensearch/bin/opensearch-keystore list

Example command execution result:

Example

warning

If the command is executed without the -u opensearch option, after changes to the keystore, check the permissions on the keystore file ${OS_CONFIG}/opensearch.keystore. To change permissions, you can use the following command:

sudo chown opensearch:opensearch ${OS_CONFIG}/opensearch.keystore

After modifying keystore via terminal, a restart of OpenSearch is required. For clusters consisting of multiple nodes, before restarting, it is recommended to disable allocation via the developer console (Main Menu - System Parameters - Developer Console) by executing the command:

PUT _cluster/settings
{
  "persistent": {
    "cluster.routing.allocation.enable": "none"
  }
}

The same can be done from the terminal with the following command:

curl -XPUT -k -u admin "https://127.0.0.1:9200/_cluster/settings?pretty" -H "Content-Type: application/json" -d '{"persistent":{"cluster.routing.allocation.enable": "none"}}'

Then restart the OpenSearch node:

systemctl restart opensearch.service

After starting the service, wait for the node to appear in the cluster node list.

GET _cluster/health
GET _cat/nodes

The same can be done from the terminal with the following commands:

curl -k -u admin "https://127.0.0.1:9200/_cluster/health?pretty"
curl -k -u admin "https://127.0.0.1:9200/_cat/nodes"

After the node appears in the cluster, enable allocation:

PUT _cluster/settings
{
  "persistent": {
    "cluster.routing.allocation.enable": "all"
  }
}

The same can be done from the terminal with the following command:

curl -XPUT -k -u admin "https://127.0.0.1:9200/_cluster/settings?pretty" -H "Content-Type: application/json" -d '{"persistent":{"cluster.routing.allocation.enable": "all"}}'

Since data from keystore will be passed to the script, it is necessary to specify in the job scheduler settings which task can use which variables from keystore. Use the command:

PUT _core/settings/job-scheduler
{
  "script_environments": """{
    "<task identifier>": ["api_edr_token", "bizone_host", "bizone_port", "edr_host", "edr_name", "edr_port", "edr_pswd"]
  }"""
}

At this point, node configuration is complete.

Launching the Task

After configuring the task node, the task can be launched.

To launch the task, go to Main Menu - Job Scheduler - Jobs List and on the created task, expand the list of task actions by clicking the three-dot button on the right in the table. In the opened list, select Enable. Interface

General Information​

Creating and Configuring a Task​

Configuring the Main Section​

Configuring the Active Actions Section​

Configuring the Node​

Adding Parameters to the Configuration File​

Adding Parameters to Keystore​

Launching the Task​

General Information

Creating and Configuring a Task

Configuring the Main Section

Configuring the Active Actions Section

Configuring the Node

Adding Parameters to the Configuration File

Adding Parameters to Keystore

Launching the Task