Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Pyhton module to implement Amazon Security Lake integration #186

Merged
merged 9 commits into from
Apr 9, 2024
Merged

Add Pyhton module to implement Amazon Security Lake integration #186

merged 9 commits into from
Apr 9, 2024

Conversation

AlexRuiz7
Copy link
Member

Description

Migrated from #147

Issues Resolved

Closes #144

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@AlexRuiz7 AlexRuiz7 requested a review from a team as a code owner March 12, 2024 12:17
@AlexRuiz7 AlexRuiz7 mentioned this pull request Mar 12, 2024
Closed
7 tasks
@AlexRuiz7
Update amazon-security-lake integration
1deaba8 
- Improved documentation.
- Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`.
- Development environment now uses OpenSearch 2.12.0.
- The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file.
- [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script.
- [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied.
- [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`.
- Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`.
- [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically
- Python3 environment path added to the `indexer-to-integrator` pipeline.
@AlexRuiz7 AlexRuiz7 marked this pull request as draft March 12, 2024 20:23
@AlexRuiz7
Disable ECS compatibility (auto)
bdd99fe 
-  Adds pipeline.ecs_compatibility: disabled at Dockerfile level.
- Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container.
@AlexRuiz7
Add @timestamp field to sample alerts
c6482c7
@AlexRuiz7
Fix Logstash pipelines
d0b1573
@AlexRuiz7
Add working indexer-to-s3 pipeline
522e6e8
@AlexRuiz7
Add working Python script up to S3 upload
50a34c9
@AlexRuiz7
Copy link
Member Author

I've been able to modify the script to manage and write raw, processed and encoded events into the local filesystem and upload them to a local S3 bucket (S3 Ninja):

  • raw: data received from standard input, in json.
  • ocsf: raw data converted into OCSF schema, in json.
  • parquet: OCSF data encoded as parquet
filename_raw = f"/tmp/integrator-raw-{timestamp}.json"
filename_ocsf = f"/tmp/integrator-ocsf-{timestamp}.json"
filename_parquet = f"/tmp/integrator-ocsf-{timestamp}.parquet"

The environment is prepared. Start it with:

docker compose -f ./docker/amazon-security-lake.yml up -d

Start the integration with:

/usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash

In theory, the events in these 3 stages mentioned above should appear in the /tmp folder. However, for some reason that I could not figure out, when the integration run from logstash, only raw events are written to the file. Logstash does not yield any error, and apparently the pipeline is running without errors.

logstash@wazuh:/home/app$ /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash
Using bundled JDK: /usr/share/logstash/jdk
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_int
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_thread_pool_executor.rb:13: warning: method redefined; discarding old to_f
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2024-03-19T11:43:22,215][INFO ][logstash.runner          ] Log4j configuration path used is: /etc/logstash/log4j2.properties
[2024-03-19T11:43:22,222][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.12.2", "jruby.version"=>"jruby 9.4.5.0 (3.1.4) 2023-11-02 1abae2700f OpenJDK 64-Bit Server VM 17.0.10+7 on 17.0.10+7 +indy +jit [x86_64-linux]"}
[2024-03-19T11:43:22,224][INFO ][logstash.runner          ] JVM bootstrap flags: [-XX:+HeapDumpOnOutOfMemoryError, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, -Djruby.regexp.interruptible=true, --add-opens=java.base/java.security=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, -Dio.netty.allocator.maxOrder=11, -Dlog4j2.isThreadContextMapInheritable=true, -Xms1g, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Djdk.io.File.enableADS=true, -Dfile.encoding=UTF-8, --add-opens=java.base/java.io=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, -Djruby.compile.invokedynamic=true, -Xmx1g, -Djava.security.egd=file:/dev/urandom, -Djava.awt.headless=true, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED]
[2024-03-19T11:43:22,225][INFO ][logstash.runner          ] Jackson default value override `logstash.jackson.stream-read-constraints.max-string-length` configured to `200000000`
[2024-03-19T11:43:22,225][INFO ][logstash.runner          ] Jackson default value override `logstash.jackson.stream-read-constraints.max-number-length` configured to `10000`
[2024-03-19T11:43:22,327][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2024-03-19T11:43:22,595][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2024-03-19T11:43:22,833][INFO ][org.reflections.Reflections] Reflections took 64 ms to scan 1 urls, producing 132 keys and 468 values
[2024-03-19T11:43:23,068][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: disabled` setting. All plugins in this pipeline will default to `ecs_compatibility => disabled` unless explicitly configured otherwise.
[2024-03-19T11:43:23,083][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>16, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2000, "pipeline.sources"=>["/usr/share/logstash/pipeline/indexer-to-integrator.conf"], :thread=>"#<Thread:0x4b20bca2 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-03-19T11:43:23,505][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.42}
[2024-03-19T11:43:23,837][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2024-03-19T11:43:23,848][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":1,"mail":false,"id":"80790","description":"Audit: Command: /usr/sbin/bash","level":3,"groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"location":"","@timestamp":"2024-03-19T11:43:02.517Z","manager":{"name":"wazuh-manager"},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"id":"1580123327.49031","data":{"audit":{"type":"PATH","success":"yes","file":{"name":"/bin/bash"},"cwd":"/home/wazuh","command":"bash","exe":"/usr/sbin/bash"}},"timestamp":"2024-03-19T11:43:02.517+0000","predecoder":{}}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":17,"mail":false,"id":"80790","description":"Audit: Command: /usr/sbin/sh","level":3,"groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"location":"","@timestamp":"2024-03-19T11:43:58.265Z","manager":{"name":"wazuh-manager"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"id":"1580123327.49031","data":{"audit":{"type":"PATH","success":"yes","file":{"name":"/usr/bin/sh"},"cwd":"/home/sh","command":"sh","exe":"/usr/sbin/sh"}},"timestamp":"2024-03-19T11:43:58.265+0000","predecoder":{}}
[2024-03-19T11:44:00,550][INFO ][logstash.outputs.pipe    ][main][output.integrator] Opening pipe {:command=>"/env/bin/python3 /usr/share/logstash/amazon-security-lake/run.py"}
{"decoder":{"name":"rootcheck"},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":10,"mail":false,"groups":["wazuh","rootcheck"],"description":"Host-based anomaly detection event (rootcheck).","level":7,"id":"510","gdpr":["IV_35.7.d"]},"location":"rootcheck","@timestamp":"2024-03-19T11:43:48.093Z","input":{"type":"log"},"manager":{"name":"wazuh-manager"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"id":"1580123327.49031","full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'.","data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"timestamp":"2024-03-19T11:43:48.093+0000","predecoder":{}}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":12,"mail":false,"id":"80784","description":"Audit: Command: /usr/sbin/sudo","level":3,"groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"location":"","@timestamp":"2024-03-19T11:43:53.181Z","manager":{"name":"wazuh-manager"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"id":"1580123327.49031","data":{"audit":{"type":"CWD","success":"yes","file":{"name":"/var/sample"},"cwd":"/home/wazuh","command":"sudo","exe":"/usr/sbin/sudo"}},"timestamp":"2024-03-19T11:43:53.181+0000","predecoder":{}}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":3,"mail":false,"id":"80791","description":"Audit: Command: /usr/sbin/ssh","level":3,"groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"location":"","@timestamp":"2024-03-19T11:43:43.010Z","manager":{"name":"wazuh-manager"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"id":"1580123327.49031","data":{"audit":{"type":"NORMAL","success":"yes","file":{"name":"/var/sample"},"cwd":"/home/wazuh","command":"ssh","exe":"/usr/sbin/sshd"}},"timestamp":"2024-03-19T11:43:43.010+0000","predecoder":{}}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":12,"mail":false,"id":"80784","description":"Audit: Command: /usr/sbin/sudo","level":3,"groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"location":"","@timestamp":"2024-03-19T11:43:32.873Z","manager":{"name":"wazuh-manager"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"id":"1580123327.49031","data":{"audit":{"type":"CWD","success":"yes","file":{"name":"/var/sample"},"cwd":"/home/wazuh","command":"sudo","exe":"/usr/sbin/sudo"}},"timestamp":"2024-03-19T11:43:32.873+0000","predecoder":{}}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":11,"mail":false,"id":"80784","description":"Audit: Command: /usr/sbin/id","level":3,"groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"location":"","@timestamp":"2024-03-19T11:43:37.925Z","manager":{"name":"wazuh-manager"},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"id":"1580123327.49031","data":{"audit":{"type":"NORMAL","success":"yes","file":{"name":"/usr/bin/id"},"cwd":"/home/wazuh","command":"id","exe":"/usr/sbin/id"}},"timestamp":"2024-03-19T11:43:37.925+0000","predecoder":{}}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":16,"mail":false,"id":"80784","description":"Audit: Command: /usr/sbin/consoletype","level":3,"groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"location":"","@timestamp":"2024-03-19T11:43:27.821Z","manager":{"name":"wazuh-manager"},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"id":"1580123327.49031","data":{"audit":{"type":"PATH","success":"yes","file":{"name":"/sbin/consoletype"},"cwd":"/home/wazuh","command":"consoletype","exe":"/usr/sbin/consoletype"}},"timestamp":"2024-03-19T11:43:27.821+0000","predecoder":{}}
{"decoder":{"name":"rootcheck"},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":4,"mail":false,"groups":["wazuh","rootcheck"],"description":"Host-based anomaly detection event (rootcheck).","level":7,"id":"510","gdpr":["IV_35.7.d"]},"location":"rootcheck","@timestamp":"2024-03-19T11:43:07.562Z","input":{"type":"log"},"manager":{"name":"wazuh-manager"},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"id":"1580123327.49031","full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic).","data":{"title":"Trojaned version of file detected.","file":"/usr/bin/netstat"},"timestamp":"2024-03-19T11:43:07.562+0000","predecoder":{}}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":12,"mail":false,"id":"80784","description":"Audit: Command: /usr/sbin/sudo","level":3,"groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"location":"","@timestamp":"2024-03-19T11:43:22.773Z","manager":{"name":"wazuh-manager"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"id":"1580123327.49031","data":{"audit":{"type":"CWD","success":"yes","file":{"name":"/var/sample"},"cwd":"/home/wazuh","command":"sudo","exe":"/usr/sbin/sudo"}},"timestamp":"2024-03-19T11:43:22.773+0000","predecoder":{}}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"firedtimes":3,"mail":false,"id":"80791","description":"Audit: Command: /usr/sbin/ssh","level":3,"groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"location":"","@timestamp":"2024-03-19T11:43:17.716Z","manager":{"name":"wazuh-manager"},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"id":"1580123327.49031","data":{"audit":{"type":"NORMAL","success":"yes","file":{"name":"/var/sample"},"cwd":"/home/wazuh","command":"ssh","exe":"/usr/sbin/sshd"}},"timestamp":"2024-03-19T11:43:17.716+0000","predecoder":{}}
{"decoder":{},"@version":"1","cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"rule":{"id":"3530","description":"Sample alert 4","level":14,"groups":["ciscat"],"mail":false},"location":"","@timestamp":"2024-03-19T11:43:12.642Z","manager":{"name":"wazuh-manager"},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"id":"1580123327.49031","data":{"cis":{"benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","@timestamp":"2024-03-19T11:43:12.642+0000","notchecked":0,"result":"unknown","group":"Access, Authentication and Authorization","score":22,"pass":64,"unknown":11,"rule_title":"CIS-CAT 1","fail":2,"timestamp":"2024-03-19T11:43:12.642+0000"}},"timestamp":"2024-03-19T11:43:12.642+0000","predecoder":{}}
[2024-03-19T11:44:00,561][INFO ][logstash.outputs.pipe    ][main][output.integrator] Starting stale pipes cleanup cycle {:pipes=>{"/env/bin/python3 /usr/share/logstash/amazon-security-lake/run.py"=>#<PipeWrapper:0x3dbde896 @pipe=#<IO:fd 84>, @active=true>}

logstash@wazuh:/tmp$ ls
hsperfdata_logstash  hsperfdata_root  integrator-raw-2024-03-19T11:44:01.369800+00:00.json  tmplwclf73gcacert.pem

If we use this raw file and send it directly to the script, it all works as expected.

cat /tmp/integrator-raw-2024-03-19T11\:44\:01.369800+00\:00.json | /env/bin/python3 /usr/share/logstash/amazon-security-lake/run.py
logstash@wazuh:/tmp$ ls
hsperfdata_logstash  integrator-ocsf-2024-03-19T11:48:16.157192+00:00.json     integrator-raw-2024-03-19T11:44:01.369800+00:00.json  tmplwclf73gcacert.pem
hsperfdata_root      integrator-ocsf-2024-03-19T11:48:16.157192+00:00.parquet  integrator-raw-2024-03-19T11:48:16.157192+00:00.json
logstash@wazuh:/tmp$ cp integrator-ocsf-2024-03-19T11\:48\:16.157192+00\:00.parquet data.parquet
logstash@wazuh:/tmp$ /env/bin/parquet-tools show data.parquet 
+---------------+-----------------+----------------+-------------------+-------------+---------+-------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+---------------------------------------------------------------------------------------------------------------------+
|   activity_id | category_name   |   category_uid | class_name        |   class_uid |   count | message                                         | finding_info                                                                                                                                                                                                                                                                                                                                        | metadata                                                                                                                                                | raw_data                                                                                                                       | resources                                                            |   risk_score |   severity_id |   status_id | time                         |   type_uid | unmapped                                                                                                            |
|---------------+-----------------+----------------+-------------------+-------------+---------+-------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+---------------------------------------------------------------------------------------------------------------------|
|             1 | Findings        |              2 | Detection Finding |        2004 |       1 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 2024-03-19T11:43:02.517+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      17 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 2024-03-19T11:43:58.265+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      10 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Knark' detected by the presence of file '/proc/knark'.                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            7 |             2 |          99 | 2024-03-19T11:43:48.093+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |      12 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 2024-03-19T11:43:53.181+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       3 | Audit: Command: /usr/sbin/ssh                   | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                   | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:43:43.010+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      12 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 2024-03-19T11:43:32.873+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      11 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:43:37.925+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      16 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 2024-03-19T11:43:27.821+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       4 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic). | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 2024-03-19T11:43:07.562+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |      12 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 2024-03-19T11:43:22.773+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       3 | Audit: Command: /usr/sbin/ssh                   | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                   | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 2024-03-19T11:43:17.716+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       0 | Sample alert 4                                  | {'analytic': {'category': 'ciscat', 'name': 'N/A', 'type_id': 1, 'uid': '3530'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Sample alert 4', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |           14 |             4 |          99 | 2024-03-19T11:43:12.642+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      12 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 2024-03-19T11:44:48.897+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:44:18.509+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      11 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 2024-03-19T11:44:23.589+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      16 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 2024-03-19T11:44:28.625+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/grep                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 2024-03-19T11:44:59.051+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      11 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:44:53.965+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      16 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:44:33.702+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      16 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 2024-03-19T11:44:43.864+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       5 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic).    | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          99 | 2024-03-19T11:44:38.781+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |      11 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:44:03.336+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       1 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:44:08.378+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      12 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             1 |          99 | 2024-03-19T11:44:13.449+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/grep                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 2024-03-19T11:45:34.537+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      19 | CVE-2019-19645 affects sqlite3                  | {'analytic': {'category': 'vulnerability-detector', 'name': 'json', 'type_id': 1, 'uid': '23503'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'CVE-2019-19645 affects sqlite3', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}               | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            5 |             2 |          99 | 2024-03-19T11:45:49.745+0000 |     200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
|             1 | Findings        |              2 | Detection Finding |        2004 |       3 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'.                                                               | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 2024-03-19T11:45:44.696+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 2024-03-19T11:45:39.625+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      10 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Omega' detected by the presence of file '/dev/chr'.                                                                   | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            7 |             2 |          99 | 2024-03-19T11:45:04.121+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |       1 | Audit: Command: /usr/sbin/crond                 | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 2024-03-19T11:45:14.240+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       3 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic).                              | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            7 |             2 |          99 | 2024-03-19T11:45:09.169+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |      84 | CVE-2016-7948 affects libxrandr2                | {'analytic': {'category': 'vulnerability-detector', 'name': 'json', 'type_id': 1, 'uid': '23506'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'CVE-2016-7948 affects libxrandr2', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}             | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |           13 |             4 |          99 | 2024-03-19T11:45:19.273+0000 |     200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
|             1 | Findings        |              2 | Detection Finding |        2004 |       6 | Audit: Command: /usr/sbin/ls                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 2024-03-19T11:45:24.350+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       1 | Audit: Command: /usr/sbin/crond                 | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 2024-03-19T11:45:29.445+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      17 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 2024-03-19T11:45:59.848+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       2 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'.                                                              | [{'name': 'Centos', 'uid': '005'}]                                   |            7 |             2 |          99 | 2024-03-19T11:45:54.813+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |      11 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          99 | 2024-03-19T11:46:30.205+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      11 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             1 |          99 | 2024-03-19T11:46:09.969+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 2024-03-19T11:46:04.913+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       3 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic).    | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 2024-03-19T11:46:25.161+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:46:15.037+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       0 | Sample alert 4                                  | {'analytic': {'category': 'ciscat', 'name': 'N/A', 'type_id': 1, 'uid': '2466'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Sample alert 4', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            9 |             3 |          99 | 2024-03-19T11:46:20.082+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 2024-03-19T11:47:00.680+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      16 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 2024-03-19T11:46:45.452+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/grep                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:46:50.487+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      12 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:46:55.553+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       6 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'.                                                          | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          99 | 2024-03-19T11:46:35.282+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |      20 | CVE-2013-4235 affects login                     | {'analytic': {'category': 'vulnerability-detector', 'name': 'json', 'type_id': 1, 'uid': '23503'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'CVE-2013-4235 affects login', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            5 |             2 |          99 | 2024-03-19T11:46:40.369+0000 |     200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
|             1 | Findings        |              2 | Detection Finding |        2004 |      11 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 2024-03-19T11:47:31.077+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       1 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 2024-03-19T11:47:36.156+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       8 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Omega' detected by the presence of file '/dev/chr'.                                                                   | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          99 | 2024-03-19T11:47:41.189+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |      64 | CVE-2017-12588 affects rsyslog                  | {'analytic': {'category': 'vulnerability-detector', 'name': 'json', 'type_id': 1, 'uid': '23506'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'CVE-2017-12588 affects rsyslog', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}               | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Ubuntu', 'uid': '004'}]                                   |           13 |             4 |          99 | 2024-03-19T11:47:46.260+0000 |     200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
|             1 | Findings        |              2 | Detection Finding |        2004 |       1 | Audit: Command: /usr/sbin/crond                 | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 2024-03-19T11:47:51.296+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      17 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                    | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 2024-03-19T11:47:56.373+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       4 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Omega' detected by the presence of file '/dev/chr'.                                                                   | [{'name': 'Debian', 'uid': '007'}]                                   |            7 |             2 |          99 | 2024-03-19T11:47:26.033+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 |       1 | Audit: Command: /usr/sbin/crond                 | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          99 | 2024-03-19T11:47:20.949+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      16 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 2024-03-19T11:47:15.896+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |       1 | Audit: Command: /usr/sbin/crond                 | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             1 |          99 | 2024-03-19T11:47:10.813+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             1 |          99 | 2024-03-19T11:47:05.769+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 |      13 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                                                | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          99 | 2024-03-19T11:47:00.680+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
+---------------+-----------------+----------------+-------------------+-------------+---------+-------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+---------------------------------------------------------------------------------------------------------------------+

image

It's being specially difficult to develop and debug this script with Logstash in the equation. In the case of evolving this script and following this approach to implement the integration, we are thinking on getting rid of Logstash completely and fetch the data using the OpenSearch's python client.

@AlexRuiz7 AlexRuiz7 mentioned this pull request Mar 19, 2024
Closed
@AlexRuiz7 AlexRuiz7 mentioned this pull request Mar 19, 2024
Merged
8 tasks
@AlexRuiz7 AlexRuiz7 marked this pull request as ready for review April 8, 2024 08:34
@AlexRuiz7 AlexRuiz7 merged commit b587f4d into 4.9.0 Apr 9, 2024
8 checks passed
@AlexRuiz7 AlexRuiz7 deleted the 144-amazon-security-lake-dtd-python branch April 9, 2024 14:52
AlexRuiz7 added a commit that referenced this pull request Apr 24, 2024
@AlexRuiz7
Add Pyhton module to implement Amazon Security Lake integration (#186)
ad5df0c 
* Migrate from #147

* Update amazon-security-lake integration

- Improved documentation.
- Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`.
- Development environment now uses OpenSearch 2.12.0.
- The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file.
- [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script.
- [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied.
- [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`.
- Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`.
- [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically
- Python3 environment path added to the `indexer-to-integrator` pipeline.

* Disable ECS compatibility (auto)

-  Adds pipeline.ecs_compatibility: disabled at Dockerfile level.
- Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container.

* Add @timestamp field to sample alerts

* Fix Logstash pipelines

* Add working indexer-to-s3 pipeline

* Add working Python script up to S3 upload

* Add latest changes

* Remove duplicated line
AlexRuiz7 added a commit that referenced this pull request Jun 28, 2024
@AlexRuiz7
Add Pyhton module to implement Amazon Security Lake integration (#186)
726f9b8 
* Migrate from #147

* Update amazon-security-lake integration

- Improved documentation.
- Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`.
- Development environment now uses OpenSearch 2.12.0.
- The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file.
- [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script.
- [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied.
- [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`.
- Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`.
- [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically
- Python3 environment path added to the `indexer-to-integrator` pipeline.

* Disable ECS compatibility (auto)

-  Adds pipeline.ecs_compatibility: disabled at Dockerfile level.
- Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container.

* Add @timestamp field to sample alerts

* Fix Logstash pipelines

* Add working indexer-to-s3 pipeline

* Add working Python script up to S3 upload

* Add latest changes

* Remove duplicated line
AlexRuiz7 added a commit that referenced this pull request Aug 20, 2024
@AlexRuiz7
Add Pyhton module to implement Amazon Security Lake integration (#186)
67d61e1 
* Migrate from #147

* Update amazon-security-lake integration

- Improved documentation.
- Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`.
- Development environment now uses OpenSearch 2.12.0.
- The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file.
- [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script.
- [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied.
- [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`.
- Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`.
- [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically
- Python3 environment path added to the `indexer-to-integrator` pipeline.

* Disable ECS compatibility (auto)

-  Adds pipeline.ecs_compatibility: disabled at Dockerfile level.
- Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container.

* Add @timestamp field to sample alerts

* Fix Logstash pipelines

* Add working indexer-to-s3 pipeline

* Add working Python script up to S3 upload

* Add latest changes

* Remove duplicated line
AlexRuiz7 added a commit that referenced this pull request Sep 9, 2024
@AlexRuiz7
Add Pyhton module to implement Amazon Security Lake integration (#186)
b936fe6 
* Migrate from #147

* Update amazon-security-lake integration

- Improved documentation.
- Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`.
- Development environment now uses OpenSearch 2.12.0.
- The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file.
- [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script.
- [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied.
- [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`.
- Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`.
- [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically
- Python3 environment path added to the `indexer-to-integrator` pipeline.

* Disable ECS compatibility (auto)

-  Adds pipeline.ecs_compatibility: disabled at Dockerfile level.
- Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container.

* Add @timestamp field to sample alerts

* Fix Logstash pipelines

* Add working indexer-to-s3 pipeline

* Add working Python script up to S3 upload

* Add latest changes

* Remove duplicated line
AlexRuiz7 added a commit that referenced this pull request Sep 9, 2024
@AlexRuiz7
Add Pyhton module to implement Amazon Security Lake integration (#186)
08af877 
* Migrate from #147

* Update amazon-security-lake integration

- Improved documentation.
- Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`.
- Development environment now uses OpenSearch 2.12.0.
- The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file.
- [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script.
- [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied.
- [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`.
- Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`.
- [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically
- Python3 environment path added to the `indexer-to-integrator` pipeline.

* Disable ECS compatibility (auto)

-  Adds pipeline.ecs_compatibility: disabled at Dockerfile level.
- Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container.

* Add @timestamp field to sample alerts

* Fix Logstash pipelines

* Add working indexer-to-s3 pipeline

* Add working Python script up to S3 upload

* Add latest changes

* Remove duplicated line
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@f-galland f-galland f-galland approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Amazon Security Lake integration - DTD - Python script
2 participants
@AlexRuiz7 @f-galland