-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Pyhton module to implement Amazon Security Lake integration #186
Conversation
- Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline.
- Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container.
I've been able to modify the script to manage and write raw, processed and encoded events into the local filesystem and upload them to a local S3 bucket (S3 Ninja):
filename_raw = f"/tmp/integrator-raw-{timestamp}.json"
filename_ocsf = f"/tmp/integrator-ocsf-{timestamp}.json"
filename_parquet = f"/tmp/integrator-ocsf-{timestamp}.parquet" The environment is prepared. Start it with:
Start the integration with:
In theory, the events in these 3 stages mentioned above should appear in the
logstash@wazuh:/tmp$ ls
hsperfdata_logstash hsperfdata_root integrator-raw-2024-03-19T11:44:01.369800+00:00.json tmplwclf73gcacert.pem If we use this raw file and send it directly to the script, it all works as expected. cat /tmp/integrator-raw-2024-03-19T11\:44\:01.369800+00\:00.json | /env/bin/python3 /usr/share/logstash/amazon-security-lake/run.py logstash@wazuh:/tmp$ ls
hsperfdata_logstash integrator-ocsf-2024-03-19T11:48:16.157192+00:00.json integrator-raw-2024-03-19T11:44:01.369800+00:00.json tmplwclf73gcacert.pem
hsperfdata_root integrator-ocsf-2024-03-19T11:48:16.157192+00:00.parquet integrator-raw-2024-03-19T11:48:16.157192+00:00.json logstash@wazuh:/tmp$ cp integrator-ocsf-2024-03-19T11\:48\:16.157192+00\:00.parquet data.parquet
logstash@wazuh:/tmp$ /env/bin/parquet-tools show data.parquet
+---------------+-----------------+----------------+-------------------+-------------+---------+-------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+---------------------------------------------------------------------------------------------------------------------+
| activity_id | category_name | category_uid | class_name | class_uid | count | message | finding_info | metadata | raw_data | resources | risk_score | severity_id | status_id | time | type_uid | unmapped |
|---------------+-----------------+----------------+-------------------+-------------+---------+-------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+---------------------------------------------------------------------------------------------------------------------|
| 1 | Findings | 2 | Detection Finding | 2004 | 1 | Audit: Command: /usr/sbin/bash | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Debian', 'uid': '007'}] | 3 | 1 | 99 | 2024-03-19T11:43:02.517+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 17 | Audit: Command: /usr/sbin/sh | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Ubuntu', 'uid': '004'}] | 3 | 1 | 99 | 2024-03-19T11:43:58.265+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 10 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Knark' detected by the presence of file '/proc/knark'. | [{'name': 'Windows', 'uid': '006'}] | 7 | 2 | 99 | 2024-03-19T11:43:48.093+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 12 | Audit: Command: /usr/sbin/sudo | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Centos', 'uid': '005'}] | 3 | 1 | 99 | 2024-03-19T11:43:53.181+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 3 | Audit: Command: /usr/sbin/ssh | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:43:43.010+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 12 | Audit: Command: /usr/sbin/sudo | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Ubuntu', 'uid': '004'}] | 3 | 1 | 99 | 2024-03-19T11:43:32.873+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 11 | Audit: Command: /usr/sbin/id | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:43:37.925+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 16 | Audit: Command: /usr/sbin/consoletype | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Centos', 'uid': '005'}] | 3 | 1 | 99 | 2024-03-19T11:43:27.821+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 4 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic). | [{'name': 'Amazon', 'uid': '002'}] | 7 | 2 | 99 | 2024-03-19T11:43:07.562+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 12 | Audit: Command: /usr/sbin/sudo | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Ubuntu', 'uid': '004'}] | 3 | 1 | 99 | 2024-03-19T11:43:22.773+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 3 | Audit: Command: /usr/sbin/ssh | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Ubuntu', 'uid': '004'}] | 3 | 1 | 99 | 2024-03-19T11:43:17.716+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 0 | Sample alert 4 | {'analytic': {'category': 'ciscat', 'name': 'N/A', 'type_id': 1, 'uid': '3530'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Sample alert 4', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'RHEL7', 'uid': '001'}] | 14 | 4 | 99 | 2024-03-19T11:43:12.642+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 12 | Audit: Command: /usr/sbin/sudo | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'RHEL7', 'uid': '001'}] | 3 | 1 | 99 | 2024-03-19T11:44:48.897+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/hostname | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:44:18.509+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 11 | Audit: Command: /usr/sbin/id | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Debian', 'uid': '007'}] | 3 | 1 | 99 | 2024-03-19T11:44:23.589+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 16 | Audit: Command: /usr/sbin/consoletype | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Ubuntu', 'uid': '004'}] | 3 | 1 | 99 | 2024-03-19T11:44:28.625+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/grep | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Amazon', 'uid': '002'}] | 3 | 1 | 99 | 2024-03-19T11:44:59.051+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 11 | Audit: Command: /usr/sbin/id | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:44:53.965+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 16 | Audit: Command: /usr/sbin/consoletype | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:44:33.702+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 16 | Audit: Command: /usr/sbin/consoletype | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Debian', 'uid': '007'}] | 3 | 1 | 99 | 2024-03-19T11:44:43.864+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 5 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic). | [{'name': 'RHEL7', 'uid': '001'}] | 7 | 2 | 99 | 2024-03-19T11:44:38.781+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 11 | Audit: Command: /usr/sbin/id | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:44:03.336+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 1 | Audit: Command: /usr/sbin/bash | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:44:08.378+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 12 | Audit: Command: /usr/sbin/sudo | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Ubuntu', 'uid': '004'}] | 3 | 1 | 99 | 2024-03-19T11:44:13.449+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/grep | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'RHEL7', 'uid': '001'}] | 3 | 1 | 99 | 2024-03-19T11:45:34.537+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 19 | CVE-2019-19645 affects sqlite3 | {'analytic': {'category': 'vulnerability-detector', 'name': 'json', 'type_id': 1, 'uid': '23503'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'CVE-2019-19645 affects sqlite3', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Centos', 'uid': '005'}] | 5 | 2 | 99 | 2024-03-19T11:45:49.745+0000 | 200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 3 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'. | [{'name': 'Amazon', 'uid': '002'}] | 7 | 2 | 99 | 2024-03-19T11:45:44.696+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/hostname | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Amazon', 'uid': '002'}] | 3 | 1 | 99 | 2024-03-19T11:45:39.625+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 10 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Omega' detected by the presence of file '/dev/chr'. | [{'name': 'Ubuntu', 'uid': '004'}] | 7 | 2 | 99 | 2024-03-19T11:45:04.121+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 1 | Audit: Command: /usr/sbin/crond | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'RHEL7', 'uid': '001'}] | 3 | 1 | 99 | 2024-03-19T11:45:14.240+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 3 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic). | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] | 7 | 2 | 99 | 2024-03-19T11:45:09.169+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 84 | CVE-2016-7948 affects libxrandr2 | {'analytic': {'category': 'vulnerability-detector', 'name': 'json', 'type_id': 1, 'uid': '23506'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'CVE-2016-7948 affects libxrandr2', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Amazon', 'uid': '002'}] | 13 | 4 | 99 | 2024-03-19T11:45:19.273+0000 | 200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 6 | Audit: Command: /usr/sbin/ls | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ls', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Centos', 'uid': '005'}] | 3 | 1 | 99 | 2024-03-19T11:45:24.350+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 1 | Audit: Command: /usr/sbin/crond | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Amazon', 'uid': '002'}] | 3 | 1 | 99 | 2024-03-19T11:45:29.445+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 17 | Audit: Command: /usr/sbin/sh | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Debian', 'uid': '007'}] | 3 | 1 | 99 | 2024-03-19T11:45:59.848+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 2 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'. | [{'name': 'Centos', 'uid': '005'}] | 7 | 2 | 99 | 2024-03-19T11:45:54.813+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 11 | Audit: Command: /usr/sbin/id | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Debian', 'uid': '007'}] | 3 | 1 | 99 | 2024-03-19T11:46:30.205+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 11 | Audit: Command: /usr/sbin/id | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'RHEL7', 'uid': '001'}] | 3 | 1 | 99 | 2024-03-19T11:46:09.969+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/hostname | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] | 3 | 1 | 99 | 2024-03-19T11:46:04.913+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 3 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic). | [{'name': 'Amazon', 'uid': '002'}] | 7 | 2 | 99 | 2024-03-19T11:46:25.161+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/hostname | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:46:15.037+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 0 | Sample alert 4 | {'analytic': {'category': 'ciscat', 'name': 'N/A', 'type_id': 1, 'uid': '2466'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Sample alert 4', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] | 9 | 3 | 99 | 2024-03-19T11:46:20.082+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/hostname | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Centos', 'uid': '005'}] | 3 | 1 | 99 | 2024-03-19T11:47:00.680+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 16 | Audit: Command: /usr/sbin/consoletype | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Centos', 'uid': '005'}] | 3 | 1 | 99 | 2024-03-19T11:46:45.452+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/grep | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:46:50.487+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 12 | Audit: Command: /usr/sbin/sudo | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:46:55.553+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 6 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'. | [{'name': 'RHEL7', 'uid': '001'}] | 7 | 2 | 99 | 2024-03-19T11:46:35.282+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 20 | CVE-2013-4235 affects login | {'analytic': {'category': 'vulnerability-detector', 'name': 'json', 'type_id': 1, 'uid': '23503'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'CVE-2013-4235 affects login', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Ubuntu', 'uid': '004'}] | 5 | 2 | 99 | 2024-03-19T11:46:40.369+0000 | 200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 11 | Audit: Command: /usr/sbin/id | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] | 3 | 1 | 99 | 2024-03-19T11:47:31.077+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 1 | Audit: Command: /usr/sbin/bash | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] | 3 | 1 | 99 | 2024-03-19T11:47:36.156+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 8 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Omega' detected by the presence of file '/dev/chr'. | [{'name': 'Amazon', 'uid': '002'}] | 7 | 2 | 99 | 2024-03-19T11:47:41.189+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 64 | CVE-2017-12588 affects rsyslog | {'analytic': {'category': 'vulnerability-detector', 'name': 'json', 'type_id': 1, 'uid': '23506'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'CVE-2017-12588 affects rsyslog', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Ubuntu', 'uid': '004'}] | 13 | 4 | 99 | 2024-03-19T11:47:46.260+0000 | 200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 1 | Audit: Command: /usr/sbin/crond | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Centos', 'uid': '005'}] | 3 | 1 | 99 | 2024-03-19T11:47:51.296+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 17 | Audit: Command: /usr/sbin/sh | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Amazon', 'uid': '002'}] | 3 | 1 | 99 | 2024-03-19T11:47:56.373+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 4 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Omega' detected by the presence of file '/dev/chr'. | [{'name': 'Debian', 'uid': '007'}] | 7 | 2 | 99 | 2024-03-19T11:47:26.033+0000 | 200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 1 | Audit: Command: /usr/sbin/crond | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Amazon', 'uid': '002'}] | 3 | 1 | 99 | 2024-03-19T11:47:20.949+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 16 | Audit: Command: /usr/sbin/consoletype | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] | 3 | 1 | 99 | 2024-03-19T11:47:15.896+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 1 | Audit: Command: /usr/sbin/crond | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Windows', 'uid': '006'}] | 3 | 1 | 99 | 2024-03-19T11:47:10.813+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/hostname | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] | 3 | 1 | 99 | 2024-03-19T11:47:05.769+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | Findings | 2 | Detection Finding | 2004 | 13 | Audit: Command: /usr/sbin/hostname | {'analytic': {'category': 'audit, audit_command', 'name': 'N/A', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Centos', 'uid': '005'}] | 3 | 1 | 99 | 2024-03-19T11:47:00.680+0000 | 200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
+---------------+-----------------+----------------+-------------------+-------------+---------+-------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+---------------------------------------------------------------------------------------------------------------------+ It's being specially difficult to develop and debug this script with Logstash in the equation. In the case of evolving this script and following this approach to implement the integration, we are thinking on getting rid of Logstash completely and fetch the data using the OpenSearch's python client. |
* Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line
* Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line
* Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line
* Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line
* Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line
Description
Migrated from #147
Issues Resolved
Closes #144
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.