diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index bebee0a7ae6f8..7ffedaade9dc9 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -543,6 +543,8 @@ integration/voltdb: - voltdb/**/* integration/vsphere: - vsphere/**/* +integeration/wazuh: +- wazuh/**/* integration/weaviate: - weaviate/**/* integration/weblogic: diff --git a/wazuh/CHANGELOG.md b/wazuh/CHANGELOG.md new file mode 100644 index 0000000000000..340981538e0aa --- /dev/null +++ b/wazuh/CHANGELOG.md @@ -0,0 +1,4 @@ +# CHANGELOG - wazuh + + + diff --git a/wazuh/README.md b/wazuh/README.md new file mode 100644 index 0000000000000..fb49f25182bae --- /dev/null +++ b/wazuh/README.md @@ -0,0 +1,155 @@ +# Agent Integration: wazuh + +## Overview + +[Wazuh][3] provides a comprehensive security solution that detects, analyzes, and responds to threats across multiple IT infrastructure layers. Wazuh collects telemetry from endpoints, network devices, cloud workloads, third-party APIs, and other sources for unified security monitoring and protection. + +This integration ingests the following types of logs: +- **file-integrity-monitoring** : Events related to file changes like permission, content, ownership and attributes. +- **malware-detector** : Rootcheck events generated by Wazuh for detecting any malware in system. +- **vulnerability-detector** : Vulnerability events generated by Wazuh. +- **system** : Events from services like FTPD, PAM, SSHD, syslog, Windows, dpkg, yum, along with internal events. +- **docker** : Activity Events of docker container. +- **github** : Events from audit logs from github organizations. +- **google-cloud** : Security events related to google cloud platform services. +- **amazon** : Security events from amazon AWS services. +- **office365** : Security events related to office365. + +Visualize detailed insights into these logs through the out-of-the-box dashboards. + +## Setup + +### Installation + +To install the Wazuh integration, run the following Agent installation command and the steps below. For more information, see the [Integration Management][4] documentation. + +**Note**: This step is not necessary for Agent version >= 7.57.0. + +Linux command + ```shell + sudo -u dd-agent -- datadog-agent integration install datadog-wazuh==1.0.0 + ``` + +### Configuration + +#### Logs collection + +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`: + + ```yaml + logs_enabled: true + ``` +2. Add this configuration block to your `wazuh.d/conf.yaml` file to start collecting your logs. + + Use the UDP method to collect the wazuh alerts data. + See the sample [wazuh.d/conf.yaml][6] for available configuration options. + + ```yaml + logs: + - type: udp + port: + source: wazuh + service: wazuh + ``` + **Note**: It is recommended not to change the service and source values, as these parameters are integral to the pipeline's operation. + +3. [Restart the Agent][2]. + +#### Configure syslog message forwarding from Wazuh + + 1. Log in to the Wazuh UI. Navigate to the Left side Menu. + 2. Go to **Server management** > **Settings**. + 3. Click on **Edit configuration**. + 4. Add the following configuration block: + + In this example, all alerts are sent to 1.1.1.1 on port 8080 in JSON format. + ```xml + + 1.1.1.1 + 8080 + json + + ``` + + * The `server` tag should contain the IP address where your Datadog Agent is running. + + * The `port` tag should contain the port on which your Datadog Agent is listening. + + Note: Using JSON format is required, since Wazuh pipeline parses JSON formatted logs only. + 5. Click the **Save** button. + 6. After saving, Click on the **Restart Manager** button. + + +### Validation + +[Run the Agent's status subcommand][5] and look for `wazuh` under the Checks section. + +## Data Collected + +### Log + +| Format | Event Types | +| --------- | -------------- | +| JSON | file-integrity-monitoring, malware-detector, vulnerability-detector, system, github, docker, amazon, office365, google-cloud| + +### Metrics + +The Wazuh integration does not include any metrics. + +### Events + +The Wazuh integration does not include any events. + +### Service Checks + +The Wazuh integration does not include any service checks. + +## Troubleshooting + +**Permission denied while port binding:** + +If you see a **Permission denied** error while port binding in the Agent logs: + +1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: + ```shell + sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent + ``` + +2. Verify the setup is correct by running the `getcap` command: + + ```shell + sudo getcap /opt/datadog-agent/bin/agent/agent + ``` + + With the expected output: + + ```shell + /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep + ``` + + **Note**: Re-run this `setcap` command every time you upgrade the Agent. + +3. [Restart the Agent][2]. + +**Data is not being collected:** + +Make sure that traffic is bypassed from the configured port if the firewall is enabled. + +**Port already in use:** + +- If you see the **Port Already in Use** error, see the following instructions. The example below is for port 514: + +- On systems using Syslog, if the Agent listens for Wazuh logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: + + - Disable Syslog. + - Configure the Agent to listen on a different, available port. + + +For further assistance, contact [Datadog support][1]. + +[1]: https://docs.datadoghq.com/help/ +[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent +[3]: https://wazuh.com/ +[4]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install +[5]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information +[6]: https://github.com/DataDog/integrations-core/blob/master/wazuh/datadog_checks/wazuh/data/conf.yaml.example diff --git a/wazuh/assets/configuration/spec.yaml b/wazuh/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..c5b2d1b487c82 --- /dev/null +++ b/wazuh/assets/configuration/spec.yaml @@ -0,0 +1,10 @@ +name: Wazuh +files: +- name: wazuh.yaml + options: + - template: logs + example: + - type: udp + port: + source: wazuh + service: wazuh diff --git a/wazuh/assets/dashboards/wazuh_MITRE_ATT&CK.json b/wazuh/assets/dashboards/wazuh_MITRE_ATT&CK.json new file mode 100644 index 0000000000000..634352c9f6f33 --- /dev/null +++ b/wazuh/assets/dashboards/wazuh_MITRE_ATT&CK.json @@ -0,0 +1,660 @@ +{ + "title": "Wazuh - MITRE ATT&CK", + "description": "MITRE ATT&CK dashboard provides comprehensive insights into MITRE ATT&CK from Wazuh events.", + "widgets": [ + { + "id": 6719457516841834, + "definition": { + "type": "image", + "url": "https://wazuh.com/brand-assets/Wazuh-Logo.png", + "url_dark_theme": "https://wazuh.com/wp-content/themes/wazuh-v3/assets/images/trademark-and-brand-policy/Wazuh-logo-dark-backgroud.png", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 3 + } + }, + { + "id": 2845032460173664, + "definition": { + "title": "MITRE ATT&CK Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2394665444134448, + "definition": { + "title": "Events Over Time By MITRE Tactics", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.mitre.tactic", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.mitre.id:* $Agent_Name $Manager_Name $Level $Service $Group $MITRE_Technique" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 7, + "height": 3 + } + }, + { + "id": 4197916590627842, + "definition": { + "title": "Events Count", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh @rule.mitre.id:* $Agent_Name $Manager_Name $Level $Service $Group $MITRE_Technique" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 2397692967185504, + "definition": { + "title": "Events Level Distribution", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.level", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.mitre.id:* $Agent_Name $Manager_Name $Level $Service $Group $MITRE_Technique" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 3, + "y": 3, + "width": 4, + "height": 4 + } + } + ] + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 8 + } + }, + { + "id": 452387587280208, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nMITRE ATT&CK dashboard provides comprehensive insights into MITRE ATT&CK from Wazuh events.\n\nFor more information, see the [Wazuh Integration Documentation](https://docs.datadoghq.com/integrations/wazuh/)\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 3, + "width": 5, + "height": 5 + } + }, + { + "id": 2605480011477974, + "definition": { + "title": "MITRE ATT&CK Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8691866892795102, + "definition": { + "title": "Top 10 Tactics", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.mitre.tactic", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.mitre.id:* $Agent_Name $Manager_Name $Level $Service $Group $MITRE_Technique" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 4159102517932664, + "definition": { + "title": "Top 10 Technique", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.mitre.technique", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.mitre.id:* $Agent_Name $Manager_Name $Level $Service $Group $MITRE_Technique" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 3317555951058826, + "definition": { + "title": "Top 10 Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.mitre.id:* $Agent_Name $Manager_Name $Level $Service $Group $MITRE_Technique" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 2882961872412366, + "definition": { + "title": "MITRE Tactics by Agent", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@rule.mitre.tactic", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.mitre.id:* $Agent_Name $Manager_Name $Level $Service $Group $MITRE_Technique" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 7853332679226809, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh @rule.mitre.id:* $Agent_Name $Manager_Name $Level $Service $Group $MITRE_Technique", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 17 + } + } + ], + "template_variables": [ + { + "name": "Agent_Name", + "prefix": "@agent.name", + "available_values": [], + "default": "*" + }, + { + "name": "Manager_Name", + "prefix": "@manager.name", + "available_values": [], + "default": "*" + }, + { + "name": "Level", + "prefix": "@rule.level", + "available_values": [ + "0", + "2", + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "12", + "13", + "14", + "15" + ], + "default": "*" + }, + { + "name": "Service", + "prefix": "service", + "available_values": [], + "default": "*" + }, + { + "name": "Group", + "prefix": "@rule.groups", + "available_values": [], + "default": "*" + }, + { + "name": "MITRE_Technique", + "prefix": "@rule.mitre.technique", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/wazuh/assets/dashboards/wazuh_cloud_security.json b/wazuh/assets/dashboards/wazuh_cloud_security.json new file mode 100644 index 0000000000000..dc54230936e55 --- /dev/null +++ b/wazuh/assets/dashboards/wazuh_cloud_security.json @@ -0,0 +1,3213 @@ +{ + "title": "Wazuh - Cloud Security", + "description": "Cloud Security dashboard provides comprehensive insights into Wazuh events from Docker, GitHub, Amazon Web Services, Google Cloud, Office365.", + "widgets": [ + { + "id": 1575089511418526, + "definition": { + "type": "image", + "url": "https://wazuh.com/brand-assets/Wazuh-Logo.png", + "url_dark_theme": "https://wazuh.com/wp-content/themes/wazuh-v3/assets/images/trademark-and-brand-policy/Wazuh-logo-dark-backgroud.png", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 3 + } + }, + { + "id": 4817356234101454, + "definition": { + "title": "Cloud Security Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4833013745121944, + "definition": { + "title": "Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:(github OR google-cloud OR amazon OR docker OR office365) $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 7, + "height": 4 + } + }, + { + "id": 5292538524670792, + "definition": { + "title": "Events Count", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:(github OR google-cloud OR amazon OR docker OR office365) $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 2, + "height": 3 + } + }, + { + "id": 1748667458567602, + "definition": { + "title": "Events Distribution by Cloud Service", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "service", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:(github OR google-cloud OR amazon OR docker OR office365) $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 2, + "y": 4, + "width": 5, + "height": 3 + } + } + ] + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 8 + } + }, + { + "id": 7259867207323456, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nCloud Security dashboard provides comprehensive insights into Wazuh events from Docker, GitHub, Amazon Web Services, Google Cloud, Office365.\n\nFor more information, see the [Wazuh Integration Documentation](https://docs.datadoghq.com/integrations/wazuh/)\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 3, + "width": 5, + "height": 5 + } + }, + { + "id": 4875838896961110, + "definition": { + "title": "GITHUB", + "background_color": "vivid_green", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7702225747947318, + "definition": { + "title": "Events Over Time by Organization", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.github.org", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:github $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 3 + } + }, + { + "id": 2676818957173066, + "definition": { + "title": "Events Distribution by Users", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:github $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 7, + "height": 4 + } + }, + { + "id": 7550893216388226, + "definition": { + "title": "Top 10 Organizations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.github.org", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:github $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 7, + "y": 3, + "width": 5, + "height": 4 + } + }, + { + "id": 5076107730865302, + "definition": { + "title": "Top 10 Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:github $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 7, + "height": 4 + } + }, + { + "id": 2785447412027712, + "definition": { + "title": "Top 10 Actions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.github.action", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:github $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 7, + "y": 7, + "width": 5, + "height": 4 + } + }, + { + "id": 6220483431481606, + "definition": { + "title": "Geo-distribution of Actor Locations", + "title_size": "16", + "title_align": "left", + "time": { + "hide_incomplete_cost_data": true + }, + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.github.actor_location.country_code", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:github $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 16 + } + }, + { + "id": 7241725715442548, + "definition": { + "title": "Amazon Web Services", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2928192722577692, + "definition": { + "title": "Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 3 + } + }, + { + "id": 8294607549955160, + "definition": { + "title": "Top 10 Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.aws.source", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 4 + } + }, + { + "id": 5786382126685622, + "definition": { + "title": "Events Over Time by Sources", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.aws.source", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "area" + } + ] + }, + "layout": { + "x": 4, + "y": 3, + "width": 8, + "height": 4 + } + }, + { + "id": 2158587339666538, + "definition": { + "title": "Top 10 S3 Buckets", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.aws.log_info.s3bucket", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 2991381177838404, + "definition": { + "title": "Events Over Time by S3 Buckets", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.aws.log_info.s3bucket", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "area" + } + ] + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 4 + } + }, + { + "id": 3500738886537062, + "definition": { + "title": "Top 10 Regions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.aws.region", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 3, + "height": 4 + } + }, + { + "id": 4270606079098118, + "definition": { + "title": "Top 10 Accounts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.aws.accountId", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 3, + "y": 11, + "width": 5, + "height": 4 + } + }, + { + "id": 399931406376820, + "definition": { + "title": "Top 10 Countries", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@GeoLocation.country_name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 8, + "y": 11, + "width": 4, + "height": 4 + } + }, + { + "id": 4633594651302264, + "definition": { + "title": "Top 10 Event Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.aws.type", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 5, + "height": 4 + } + }, + { + "id": 5924985441413878, + "definition": { + "title": "Events Distribution by Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.aws.severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 5, + "y": 15, + "width": 7, + "height": 4 + } + }, + { + "id": 2269549552463962, + "definition": { + "title": "Event Distribution by Action Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.aws.service.action.actionType", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 19, + "width": 12, + "height": 4 + } + }, + { + "id": 7082924263831498, + "definition": { + "title": "Instance Status Info", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@data.aws.resource.instanceDetails.instanceId" + }, + "group_by": [ + { + "facet": "@data.aws.resource.instanceDetails.instanceId", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@data.aws.resource.instanceDetails.instanceId" + } + }, + { + "facet": "@data.aws.resource.instanceDetails.instanceState", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@data.aws.resource.instanceDetails.instanceId" + } + } + ], + "search": { + "query": "source:wazuh service:amazon $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 23, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 28 + } + }, + { + "id": 1245337496198886, + "definition": { + "title": "Google Cloud", + "background_color": "vivid_green", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 561986557086490, + "definition": { + "title": "Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "COUNT", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:google-cloud $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 3 + } + }, + { + "id": 5795808873799870, + "definition": { + "title": "Events Distribution by Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.gcp.severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:google-cloud $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 7, + "height": 4 + } + }, + { + "id": 5956513688768584, + "definition": { + "title": "Events Distribution by Protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.gcp.jsonPayload.protocol", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:google-cloud $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 7, + "y": 3, + "width": 5, + "height": 4 + } + }, + { + "id": 3692677507540432, + "definition": { + "title": "Events Distribution by Instances", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.gcp.jsonPayload.vmInstanceName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:google-cloud $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 4, + "height": 4 + } + }, + { + "id": 7999724327545938, + "definition": { + "title": "Events Distribution by Instances", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.gcp.jsonPayload.responseCode", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:google-cloud $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 4, + "y": 7, + "width": 8, + "height": 4 + } + }, + { + "id": 3677771879918620, + "definition": { + "title": "Top 10 Project", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.gcp.resource.labels.project_id", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:google-cloud $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 4527042803321536, + "definition": { + "title": "Top 10 Resource Location", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.gcp.resource.labels.location", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:google-cloud $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 5266120004018830, + "definition": { + "title": "Top 10 Source IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:google-cloud $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 7230403095534432, + "definition": { + "title": "Top 10 Countries", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@GeoLocation.country_name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:google-cloud $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 6, + "y": 15, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 52, + "width": 12, + "height": 20 + } + }, + { + "id": 2354326830925852, + "definition": { + "title": "Office 365", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2794397708322768, + "definition": { + "title": "Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:office365 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 3 + } + }, + { + "id": 1022648219600948, + "definition": { + "title": "Suspicious Downloads", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:office365 @rule.id:91724 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 1875607446106454, + "definition": { + "title": "Full Access Permissions", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:office365 @rule.id:91725 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 6865881125768212, + "definition": { + "title": "Phishing and Malware", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:office365 @rule.id:(91556 OR 91575 OR 91700) $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 7330141338041320, + "definition": { + "title": "Top 10 Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:office365 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 4, + "height": 4 + } + }, + { + "id": 4496883989739330, + "definition": { + "title": "Events Distribution by Result Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.office365.ResultStatus", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:office365 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 4, + "y": 6, + "width": 8, + "height": 4 + } + }, + { + "id": 6961031451752228, + "definition": { + "title": "Distribution of Subscription by Users", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.office365.Subscription", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:office365 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 12, + "height": 4 + } + }, + { + "id": 8537477015778756, + "definition": { + "title": "Top 10 Operations", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.office365.Operation", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:office365 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 14, + "width": 4, + "height": 4 + } + }, + { + "id": 6834809132762262, + "definition": { + "title": "Top 10 Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:office365 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 14, + "width": 8, + "height": 4 + } + }, + { + "id": 6485155745934564, + "definition": { + "title": "Top 10 Client IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:office365 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 5, + "height": 4 + } + }, + { + "id": 6907998811205500, + "definition": { + "title": "Top 10 Countries", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@GeoLocation.country_name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:office365 $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 5, + "y": 18, + "width": 7, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 72, + "width": 12, + "height": 23 + } + }, + { + "id": 2395517531558770, + "definition": { + "title": "Docker", + "background_color": "vivid_purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7156208150716184, + "definition": { + "title": "Events Over Time by Images", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.docker.Actor.Attributes.image", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:docker $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "area" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 3 + } + }, + { + "id": 6865448806643654, + "definition": { + "title": "Top 10 Images", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.docker.Actor.Attributes.image", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:docker $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 3 + } + }, + { + "id": 5849290828564156, + "definition": { + "title": "Top 10 Actions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.docker.Action", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:docker $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 3 + } + }, + { + "id": 3432703269020372, + "definition": { + "title": "Top 10 Agents", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:docker $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 6, + "height": 3 + } + }, + { + "id": 5591909467352946, + "definition": { + "title": "Top 10 Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:docker $Service $Group $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "dog_classic" + } + }, + "layout": { + "x": 6, + "y": 6, + "width": 6, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 95, + "width": 12, + "height": 10 + } + }, + { + "id": 8180626602299470, + "definition": { + "title": "Cloud Security Event Details", + "title_size": "16", + "title_align": "left", + "time": { + "hide_incomplete_cost_data": true + }, + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:(docker OR github OR amazon OR office365 OR gcp) $Agent_Name $Manager_Name $Level $Service $Group ", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 5 + } + } + ], + "template_variables": [ + { + "name": "Agent_Name", + "prefix": "@agent.name", + "available_values": [], + "default": "*" + }, + { + "name": "Manager_Name", + "prefix": "@manager.name", + "available_values": [], + "default": "*" + }, + { + "name": "Level", + "prefix": "@rule.level", + "available_values": [ + "0", + "2", + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "12", + "13", + "14", + "15" + ], + "default": "*" + }, + { + "name": "Service", + "prefix": "service", + "available_values": [], + "default": "*" + }, + { + "name": "Group", + "prefix": "@rule.groups", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/wazuh/assets/dashboards/wazuh_file_integrity_monitoring.json b/wazuh/assets/dashboards/wazuh_file_integrity_monitoring.json new file mode 100644 index 0000000000000..b6d594b90ebc4 --- /dev/null +++ b/wazuh/assets/dashboards/wazuh_file_integrity_monitoring.json @@ -0,0 +1,1350 @@ +{ + "title": "Wazuh - File Integrity Monitoring", + "description": "File Integrity Monitoring dashboard provides comprehensive insights into file integrity monitoring events generated by Wazuh.", + "widgets": [ + { + "id": 4024669289646362, + "definition": { + "type": "image", + "url": "https://wazuh.com/brand-assets/Wazuh-Logo.png", + "url_dark_theme": "https://wazuh.com/wp-content/themes/wazuh-v3/assets/images/trademark-and-brand-policy/Wazuh-logo-dark-backgroud.png", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 3 + } + }, + { + "id": 4494277148691096, + "definition": { + "title": "File Integrity Monitoring Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8719270230953014, + "definition": { + "title": "Total Events Count", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:file-integrity-monitoring $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 7, + "height": 3 + } + }, + { + "id": 1992525522216382, + "definition": { + "title": "Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:file-integrity-monitoring $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 7, + "height": 3 + } + } + ] + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 7 + } + }, + { + "id": 5413429525032366, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nFile Integrity Monitoring dashboard provides comprehensive insights into file integrity monitoring events generated by Wazuh.\n\nFor more information, see the [Wazuh Integration Documentation](https://docs.datadoghq.com/integrations/wazuh/)\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 3, + "width": 5, + "height": 4 + } + }, + { + "id": 2758352658220106, + "definition": { + "title": "Top 10 Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 3 + } + }, + { + "id": 7924370448247518, + "definition": { + "title": "Events by Action Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.event", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 4 + } + }, + { + "id": 329408977384920, + "definition": { + "title": "File Integrity Monitoring Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2013497684674332, + "definition": { + "title": "Events Distribution by Actions", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.event", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5881951673117876, + "definition": { + "title": "Events Distribution by Agents", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 448436359486378, + "definition": { + "title": "Events Distribution by Changed Attributes", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.changed_attributes", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 2551707350749488, + "definition": { + "title": "Top 10 Users", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.uname_after", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent.id", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 3020756436018874, + "definition": { + "title": "Added Files", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.path", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring @syscheck.event:added $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + }, + { + "id": 1870609086763558, + "definition": { + "title": "Modified Files", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.path", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring @syscheck.event:modified $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 4 + } + }, + { + "id": 8362556047285270, + "definition": { + "title": "Removed Files", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.path", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring @syscheck.event:deleted $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 20, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 25 + } + }, + { + "id": 771463225620538, + "definition": { + "title": "File Integrity Checksum", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4199236080682532, + "definition": { + "title": "Events Distribution by Actions", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.event", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring @rule.id:(550 OR 553 OR 554 OR 555) $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 8468021606366272, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:file-integrity-monitoring @rule.id:(550 OR 553 OR 554 OR 555) $Agent_Name $Manager_Name $Level $Syscheck_Event $Status", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "syscheck.event", + "width": "auto" + }, + { + "field": "syscheck.changed_attributes", + "width": "auto" + }, + { + "field": "rule.description", + "width": "auto" + }, + { + "field": "content", + "width": "compact" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 39, + "width": 12, + "height": 5 + } + }, + { + "id": 6310523177866342, + "definition": { + "title": "Registry Key Integrity Checksum", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 661490468547602, + "definition": { + "title": "Events Distribution by Actions", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.event", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring @rule.id:(594 OR 597 OR 598) $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 3712486923718272, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:file-integrity-monitoring @rule.id:(594 OR 597 OR 598) $Agent_Name $Manager_Name $Level $Syscheck_Event $Status", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@rule.id", + "width": "auto" + }, + { + "field": "@rule.groups", + "width": "auto" + }, + { + "field": "@syscheck.event", + "width": "auto" + }, + { + "field": "syscheck.changed_attributes", + "width": "auto" + }, + { + "field": "@rule.description", + "width": "auto" + }, + { + "field": "content", + "width": "compact" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 44, + "width": 12, + "height": 5 + } + }, + { + "id": 952730505508422, + "definition": { + "title": "Registry Value Integrity Checksum", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7828775983506238, + "definition": { + "title": "Events Distribution by Actions", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@syscheck.event", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:file-integrity-monitoring @rule.id:[750 TO 752] $Agent_Name $Manager_Name $Level $Syscheck_Event $Status" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 230204935135028, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:file-integrity-monitoring @rule.id:[750 TO 752] $Agent_Name $Manager_Name $Level $Syscheck_Event $Status", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "syscheck.changed_attributes", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 49, + "width": 12, + "height": 5 + } + }, + { + "id": 2936146082947726, + "definition": { + "title": "File Integrity Monitoring Events Details", + "title_size": "16", + "title_align": "left", + "time": { + "hide_incomplete_cost_data": true + }, + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:file-integrity-monitoring $Agent_Name $Manager_Name $Level $Syscheck_Event $Status", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "syscheck.changed_attributes", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Agent_Name", + "prefix": "@agent.name", + "available_values": [], + "default": "*" + }, + { + "name": "Manager_Name", + "prefix": "@manager.name", + "available_values": [], + "default": "*" + }, + { + "name": "Level", + "prefix": "@rule.level", + "available_values": [ + "0", + "2", + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "12", + "13", + "14", + "15" + ], + "default": "*" + }, + { + "name": "Syscheck_Event", + "prefix": "@syscheck.event", + "available_values": [], + "default": "*" + }, + { + "name": "Status", + "prefix": "status", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/wazuh/assets/dashboards/wazuh_malware_detection.json b/wazuh/assets/dashboards/wazuh_malware_detection.json new file mode 100644 index 0000000000000..675d10f62a86b --- /dev/null +++ b/wazuh/assets/dashboards/wazuh_malware_detection.json @@ -0,0 +1,546 @@ +{ + "title": "Wazuh - Malware Detection", + "description": "Malware Detection dashboard provides comprehensive insights into rootcheck events generated by Wazuh.", + "widgets": [ + { + "id": 3421047797740378, + "definition": { + "type": "image", + "url": "https://wazuh.com/brand-assets/Wazuh-Logo.png", + "url_dark_theme": "https://wazuh.com/wp-content/themes/wazuh-v3/assets/images/trademark-and-brand-policy/Wazuh-logo-dark-backgroud.png", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 3 + } + }, + { + "id": 6068191936882372, + "definition": { + "title": "Malware Detection Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4355270808793430, + "definition": { + "title": "Total Events Count", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:malware-detector $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 7, + "height": 3 + } + }, + { + "id": 3829235507627962, + "definition": { + "title": "Total Events Count", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:malware-detector $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 255229142299270, + "definition": { + "title": "Top 10 Rule Levels", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.level", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:malware-detector $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 3, + "y": 3, + "width": 4, + "height": 4 + } + } + ] + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 8 + } + }, + { + "id": 1178455404503812, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nMalware Detection dashboard provides comprehensive insights into rootcheck events generated by Wazuh.\n\nFor more information, see the [Wazuh Integration Documentation](https://docs.datadoghq.com/integrations/wazuh/)\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 3, + "width": 5, + "height": 5 + } + }, + { + "id": 7490666824574026, + "definition": { + "title": "Top 10 Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:malware-detector $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 4 + } + }, + { + "id": 6928351649089164, + "definition": { + "title": "Top 10 Affected Files", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.file", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:malware-detector $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 4931805386079628, + "definition": { + "title": "Top 10 Agents", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:malware-detector $Agent_Name $Manager_Name $Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1561981459458854, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:malware-detector $Agent_Name $Manager_Name $Level ", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Agent_Name", + "prefix": "@agent.name", + "available_values": [], + "default": "*" + }, + { + "name": "Manager_Name", + "prefix": "@manager.name", + "available_values": [], + "default": "*" + }, + { + "name": "Level", + "prefix": "@rule.level", + "available_values": [ + "0", + "2", + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "12", + "13", + "14", + "15" + ], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/wazuh/assets/dashboards/wazuh_overview.json b/wazuh/assets/dashboards/wazuh_overview.json new file mode 100644 index 0000000000000..899a6f81696a5 --- /dev/null +++ b/wazuh/assets/dashboards/wazuh_overview.json @@ -0,0 +1,1249 @@ +{ + "title": "Wazuh - Overview", + "description": "Wazuh provides a comprehensive security solution that detects, analyzes, and responds to threats across multiple IT infrastructure layers. Wazuh collects telemetry from endpoints, network devices, cloud workloads, third-party APIs, and other sources for unified security monitoring and protection.", + "widgets": [ + { + "id": 6348446344076584, + "definition": { + "type": "image", + "url": "https://wazuh.com/brand-assets/Wazuh-Logo.png", + "url_dark_theme": "https://wazuh.com/wp-content/themes/wazuh-v3/assets/images/trademark-and-brand-policy/Wazuh-logo-dark-backgroud.png", + "sizing": "cover", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 3 + } + }, + { + "id": 1853977853681626, + "definition": { + "title": "Event Logs Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7958987691224374, + "definition": { + "title": "Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "count", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 7, + "height": 3 + } + }, + { + "id": 546713173439682, + "definition": { + "title": "Total Event Count", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 3 + } + }, + { + "id": 8618808784283546, + "definition": { + "title": "Event Count by Service", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "service", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 2, + "y": 3, + "width": 5, + "height": 3 + } + } + ] + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 7 + } + }, + { + "id": 1331273711921418, + "definition": { + "type": "note", + "content": "\nWazuh provides a comprehensive security solution that detects, analyzes, and responds to threats across multiple IT infrastructure layers. Wazuh collects telemetry from endpoints, network devices, cloud workloads, third-party APIs, and other sources for unified security monitoring and protection.\n\nFor more information, see the [Wazuh Integration Documentation](https://docs.datadoghq.com/integrations/wazuh/).\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 3, + "width": 5, + "height": 4 + } + }, + { + "id": 8103558959830770, + "definition": { + "type": "note", + "content": "| Level | Title | Description |\n| ---------- | ---------- | ----------|\n| 00 | Ignored | No action taken. Used to avoid false positives. These rules are scanned before all the others, include events with no security relevance and do not appear in the security event dashboard. |\n| 02 | System low priority notification | System notification or status messages. These have no security relevance and do not appear in the security event dashboard. |\n| 03 | System low priority notification | These include successful login attempts, firewall allow events, etc. |\n| 04 | System low priority error | Errors related to bad configurations or unused devices/applications. These have no security relevance and are usually caused by default installations or software testing. |\n| 05 | User generated error | These include missed passwords, denied actions, etc. By themselves, these have no security relevance. |\n|06 | Low relevance attack | These indicate a worm or a virus that has no effect on the system (like code red for Apache servers, etc). These also include frequent IDS events and frequent errors. |\n| 07 | \"Bad word\" matching | These include words like \"bad\", \"error\", etc. These events are most of the time unclassified and may have some security relevance. |\n| 08 | First time seen | Include first time seen events. First time an IDS event is fired or the first time a user logs in. It also includes security relevant actions such as the activation of a sniffer or similar activities. |\n| 09 | Error from invalid source | Include attempts to login as an unknown user or from an invalid source. May have security relevance (especially if repeated). These also include errors regarding the \"admin\" (root) account. |\n| 10 | Multiple user generated errors | These include multiple bad passwords, multiple failed logins, etc. These may indicate an attack or simply signal that a user has forgotten their credentials. |\n| 11 | Integrity checking warning | These include messages regarding the modification of binaries or the presence of rootkits (by Rootcheck). These may indicate a successful attack. Also included IDS events that will be ignored (high number of repetitions). |\n| 12 | High importance event | These include error or warning messages from the system, kernel, etc. These may indicate an attack against a specific application. |\n| 13 | Unusual error (high importance) | It matches a common attack pattern most of the time. |\n| 14 | High importance security event | It is triggered with correlation most of the time, and it indicates an attack. |\n| 15 | Severe attack | No chances of false positives. Immediate attention is necessary. |\n\nReference Link: https://documentation.wazuh.com/current/user-manual/ruleset/rules/rules-classification.html\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 5 + } + }, + { + "id": 6646248707273296, + "definition": { + "title": "Events Level Distribution (Level > 3)", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.level", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.level:>3 $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "never" + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 5 + } + }, + { + "id": 5829340058908242, + "definition": { + "title": "Error or Critical Events Count", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh status:(error OR critical) $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 4, + "height": 4 + } + }, + { + "id": 6741392378103126, + "definition": { + "title": "Total Authentication Success Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh @rule.groups:authentication_success $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 5, + "width": 4, + "height": 4 + } + }, + { + "id": 3265693880274044, + "definition": { + "title": "Total Authentication Failed Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh @rule.groups:authentication_failed $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 5, + "width": 4, + "height": 4 + } + }, + { + "id": 587442089219928, + "definition": { + "title": "Top 10 Rules", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 5622536135026798, + "definition": { + "title": "Top 10 Agents", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 4384564956599440, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh $Agent_Name $Manager_Name $Level $Service $Group", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 13, + "width": 12, + "height": 5 + } + }, + { + "id": 4185348993152106, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4623916271966642, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates Wazuh logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "purple", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 1460345638454502, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh status:critical $Agent_Name $Manager_Name $Level $Service $Group" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 5476757533653882, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh status:high $Agent_Name $Manager_Name $Level $Service $Group" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 1379476249905458, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh status:critical $Agent_Name $Manager_Name $Level $Service $Group" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [ + { + "label": "View related Security Signals", + "link": "/security?query=@workflow.rule.name:{{@workflow.rule.name.value}}&column=time&order=desc&view=signal&start={{timestamp_widget_start}}&end={{timestamp_widget_end}}&paused=false" + } + ], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 2880232965900544, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh status:medium $Agent_Name $Manager_Name $Level $Service $Group" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 3273472547821490, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh status:low $Agent_Name $Manager_Name $Level $Service $Group" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 3890991967630338, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh status:info $Agent_Name $Manager_Name $Level $Service $Group" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 317314577134156, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh status:high $Agent_Name $Manager_Name $Level $Service $Group" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [ + { + "label": "View related Security Signals", + "link": "/security?query=@workflow.rule.name:{{@workflow.rule.name.value}}&column=time&order=desc&view=signal&start={{timestamp_widget_start}}&end={{timestamp_widget_end}}&paused=false" + } + ], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 514638455017102, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh status:medium $Agent_Name $Manager_Name $Level $Service $Group" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [ + { + "label": "View related Security Signals", + "link": "/security?query=@workflow.rule.name:{{@workflow.rule.name.value}}&column=time&order=desc&view=signal&start={{timestamp_widget_start}}&end={{timestamp_widget_end}}&paused=false" + } + ], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 25, + "width": 12, + "height": 1 + } + } + ], + "template_variables": [ + { + "name": "Agent_Name", + "prefix": "@agent.name", + "available_values": [], + "default": "*" + }, + { + "name": "Manager_Name", + "prefix": "@manager.name", + "available_values": [], + "default": "*" + }, + { + "name": "Level", + "prefix": "@rule.level", + "available_values": [ + "0", + "2", + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "12", + "13", + "14", + "15" + ], + "default": "*" + }, + { + "name": "Service", + "prefix": "service", + "available_values": [], + "default": "*" + }, + { + "name": "Group", + "prefix": "@rule.groups", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/wazuh/assets/dashboards/wazuh_security_operations.json b/wazuh/assets/dashboards/wazuh_security_operations.json new file mode 100644 index 0000000000000..7a67e69d0c0c6 --- /dev/null +++ b/wazuh/assets/dashboards/wazuh_security_operations.json @@ -0,0 +1,1679 @@ +{ + "title": "Wazuh - Security Operations", + "description": "Security Operations dashboard provides comprehensive insights into security requirement related information like PCI DSS, GDPR, HIPAA, NIST 800-53, TSC from Events.", + "widgets": [ + { + "id": 659977522045826, + "definition": { + "type": "image", + "url": "https://wazuh.com/brand-assets/Wazuh-Logo.png", + "url_dark_theme": "https://wazuh.com/wp-content/themes/wazuh-v3/assets/images/trademark-and-brand-policy/Wazuh-logo-dark-backgroud.png", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 4028971359469922, + "definition": { + "title": "Security Operations Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2123298265834496, + "definition": { + "title": "Total Events with Security Requirements", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh (@rule.pci_dss:* OR @rule.tsc:* OR @rule.gdpr:* OR @rule.nist_800_53:* OR @rule.hipaa:*) $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 7769394477981692, + "definition": { + "title": "Security Requirement Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh (@rule.pci_dss:* OR @rule.tsc:* OR @rule.gdpr:* OR @rule.nist_800_53:* OR @rule.hipaa:*) $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 8 + } + }, + { + "id": 7604364197333406, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nSecurity Operations dashboard provides comprehensive insights into security requirement related information like PCI DSS, GDPR, HIPAA, NIST 800-53, TSC from Events.\n\nFor more information, see the [Wazuh Integration Documentation](https://docs.datadoghq.com/integrations/wazuh/)\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 5 + } + }, + { + "id": 2048602689858436, + "definition": { + "title": "PCI DSS", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1144093616807694, + "definition": { + "title": "Events Counts with PCI DSS Requirements", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh @rule.pci_dss:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5055373433243734, + "definition": { + "title": "Events Over Time with PCI DSS Requirements", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.pci_dss", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.pci_dss:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 5268880744823144, + "definition": { + "title": "Top 10 Rules with PCI DSS Requirements", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.pci_dss:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 1974780754823316, + "definition": { + "title": "Event Count of PCI DSS Requirements", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.pci_dss", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.pci_dss:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 8 + } + }, + { + "id": 7720483941389346, + "definition": { + "title": "GDPR", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8869749848032790, + "definition": { + "title": "Events Count with GDPR Requirements", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh @rule.gdpr:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5519177047583144, + "definition": { + "title": "Events Over Time with GDPR Requirements", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.gdpr", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.gdpr:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 4615541744804000, + "definition": { + "title": "Top 10 Rules with GDPR Requirements ", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.gdpr:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 3 + } + }, + { + "id": 2072584630965960, + "definition": { + "title": "Event Count of GDPR Requirements", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.gdpr", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.gdpr:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 8 + } + }, + { + "id": 6154096858104650, + "definition": { + "title": "HIPAA", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4365777638872602, + "definition": { + "title": "Events Count with HIPAA Requirements", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh @rule.hipaa:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 3156341770758884, + "definition": { + "title": "Events Over Time with HIPAA Requirements", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.hipaa", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.hipaa:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ] + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 3411386705914300, + "definition": { + "title": "Top 10 Rules with HIPAA Requirements", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.hipaa:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 6333749761980034, + "definition": { + "title": "Event Count of HIPAA Requirements", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.hipaa", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.hipaa:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 8 + } + }, + { + "id": 2725338051777554, + "definition": { + "title": "NIST 800-53", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3030073106892164, + "definition": { + "title": "Events count with NIST 800-53 requirements", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh @rule.nist_800_53:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 4582817295590226, + "definition": { + "title": "Events over time with NIST 800-53 requirements", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.nist_800_53", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.nist_800_53:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 5942697126017822, + "definition": { + "title": "Top 10 Rules with NIST 800-53 requirements ", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.nist_800_53:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 888882234752200, + "definition": { + "title": "Event count of NIST 800-53 Requirements", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.nist_800_53", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.nist_800_53:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 32, + "width": 12, + "height": 8 + } + }, + { + "id": 8095667855962074, + "definition": { + "title": "TSC", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5586127486730564, + "definition": { + "title": "Events count with TSC requirements", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh @rule.tsc:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8123533592577522, + "definition": { + "title": "Events Over Time with TSC Requirements", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.tsc", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.tsc:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 7677757863899770, + "definition": { + "title": "Top 10 Rules with TSC Requirements", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.tsc:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 166034171012158, + "definition": { + "title": "Event Count of TSC Requirements", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.tsc", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh @rule.tsc:* $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 40, + "width": 12, + "height": 8 + } + }, + { + "id": 6535282856367696, + "definition": { + "title": "Security Operations Event Details", + "title_size": "16", + "title_align": "left", + "time": { + "hide_incomplete_cost_data": true + }, + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh $Agent_Name $Manager_Name $Level $Service $Group $PCI_DSS $GDPR $HIPAA $NIST_800_53 $TSC", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "rule.pci_dss", + "width": "auto" + }, + { + "field": "rule.gdpr", + "width": "auto" + }, + { + "field": "rule.hipaa", + "width": "auto" + }, + { + "field": "rule.nist_800_53", + "width": "auto" + }, + { + "field": "rule.tsc", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 5 + } + } + ], + "template_variables": [ + { + "name": "Agent_Name", + "prefix": "@agent.name", + "available_values": [], + "default": "*" + }, + { + "name": "Manager_Name", + "prefix": "@manager.name", + "available_values": [], + "default": "*" + }, + { + "name": "Level", + "prefix": "@rule.level", + "available_values": [ + "0", + "2", + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "12", + "13", + "14", + "15" + ], + "default": "*" + }, + { + "name": "Service", + "prefix": "service", + "available_values": [], + "default": "*" + }, + { + "name": "Group", + "prefix": "@rule.groups", + "available_values": [], + "default": "*" + }, + { + "name": "PCI_DSS", + "prefix": "@rule.pci_dss", + "available_values": [], + "default": "*" + }, + { + "name": "GDPR", + "prefix": "@rule.gdpr", + "available_values": [], + "default": "*" + }, + { + "name": "HIPAA", + "prefix": "@rule.hipaa", + "available_values": [], + "default": "*" + }, + { + "name": "NIST_800_53", + "prefix": "@rule.nist_800_53", + "available_values": [], + "default": "*" + }, + { + "name": "TSC", + "prefix": "@rule.tsc", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/wazuh/assets/dashboards/wazuh_system.json b/wazuh/assets/dashboards/wazuh_system.json new file mode 100644 index 0000000000000..1335ee9d51d10 --- /dev/null +++ b/wazuh/assets/dashboards/wazuh_system.json @@ -0,0 +1,2177 @@ +{ + "title": "Wazuh - System", + "description": "System Dashboard offers a comprehensive summary of Wazuh events for services like SSHD, PAM, Windows, Syslog, FTPD, DPKG, YUM.", + "widgets": [ + { + "id": 4087507448996678, + "definition": { + "type": "image", + "url": "https://wazuh.com/brand-assets/Wazuh-Logo.png", + "url_dark_theme": "https://wazuh.com/wp-content/themes/wazuh-v3/assets/images/trademark-and-brand-policy/Wazuh-logo-dark-backgroud.png", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 3 + } + }, + { + "id": 1677921339827388, + "definition": { + "title": "System Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 442076009473208, + "definition": { + "title": "System Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Event", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 7, + "height": 3 + } + }, + { + "id": 807392182347004, + "definition": { + "title": "Total System Events Count", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 4 + } + }, + { + "id": 7475578766639274, + "definition": { + "title": "System Events Distribution by Rule Level", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@rule.level", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "never" + }, + "layout": { + "x": 3, + "y": 3, + "width": 4, + "height": 4 + } + } + ] + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 8 + } + }, + { + "id": 4843648181281802, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nSystem Dashboard offers a comprehensive summary of Wazuh events for services like SSHD, PAM, Windows, Syslog, FTPD, DPKG, YUM.\n\nFor more information, see the [Wazuh Integration Documentation](https://docs.datadoghq.com/integrations/wazuh/)\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 3, + "width": 5, + "height": 5 + } + }, + { + "id": 293055881057102, + "definition": { + "title": "Windows", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6633030749462436, + "definition": { + "title": "Total Windows Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:windows $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 2737863318490500, + "definition": { + "title": "Windows System Error Alerts", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:system @rule.groups:(system_error windows) $Agent_Name $Manager_Name $Level $Service $Group ", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 7179567743066542, + "definition": { + "title": "Group Changed Event Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:system @rule.groups:group_changed $Agent_Name $Manager_Name $Level $Service $Group ", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "rule.description", + "width": "auto" + }, + { + "field": "full_log", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 5804276721412176, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:system @rule.groups:windows $Agent_Name $Manager_Name $Level $Service $Group", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "message", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 13 + } + }, + { + "id": 6561100401353856, + "definition": { + "title": "PAM", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4098547939003020, + "definition": { + "title": "Total PAM Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:pam $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 3279306525749082, + "definition": { + "title": "Authentication Failed Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:(pam authentication_failed) $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 3001234188052714, + "definition": { + "title": "Invalid Login Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:(pam invalid_login) $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 3977832210879388, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:system @rule.groups:pam $Agent_Name $Manager_Name $Level $Service $Group", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "message", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 21, + "width": 12, + "height": 1 + } + }, + { + "id": 7563583504446370, + "definition": { + "title": "SSHD", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7839476564361440, + "definition": { + "title": "Total SSHD Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:sshd $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 2, + "height": 4 + } + }, + { + "id": 1752579454795136, + "definition": { + "title": "Count of Multiple Authentication Failure Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:(authentication_failures sshd) $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 4385002891723170, + "definition": { + "title": "Count of Authentication Failed Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:(sshd authentication_failed) $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 2580501997053630, + "definition": { + "title": "Count of Invalid Login Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:(sshd invalid_login) $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 6868930633346486, + "definition": { + "title": "Top 10 Maximum Failed Authentication Source IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.groups:(sshd authentication_failed) $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 2106925902158378, + "definition": { + "title": "Geo-Distributed Failed Authentication Source IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.groups:(sshd authentication_failed) $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 8, + "height": 4 + } + }, + { + "id": 5571068253243182, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:system @rule.groups:sshd $Agent_Name $Manager_Name $Level $Service $Group", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 13 + } + }, + { + "id": 4609175900676718, + "definition": { + "title": "Syslog", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5113274333691136, + "definition": { + "title": "Total Syslog Events Count", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:syslog $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 17451418834084, + "definition": { + "title": "Illegal Port Connection by Source", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.id:2551 $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 1230597184231180, + "definition": { + "title": "Top 10 Access Denied Source IP", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.id:2503 $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 3352179480576314, + "definition": { + "title": "Top 10 Authentication Failed Events By Source IP", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.groups:(syslog authentication_failed) $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 2474681446510698, + "definition": { + "title": "Log Details of New User Added to System", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:system @rule.id:5902 $Agent_Name $Manager_Name $Level $Service $Group", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "usr.id", + "width": "auto" + }, + { + "field": "rule.description", + "width": "auto" + }, + { + "field": "message", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 35, + "width": 12, + "height": 9 + } + }, + { + "id": 8543804388564854, + "definition": { + "title": "FTPD", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3450376916341706, + "definition": { + "title": "Total FTPD Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:ftpd $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 6036318236451164, + "definition": { + "title": "Top 10 Connection Refused Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.id:11107 $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 4 + } + }, + { + "id": 3526360098795738, + "definition": { + "title": "Disconnected User List", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:system @rule.id:11110 $Agent_Name $Manager_Name $Level $Service $Group", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.description", + "width": "auto" + }, + { + "field": "message", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 44, + "width": 12, + "height": 1 + } + }, + { + "id": 3413580681201012, + "definition": { + "title": "DPKG", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7816341086919750, + "definition": { + "title": "Total DPKG Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:dpkg $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 2, + "height": 4 + } + }, + { + "id": 2745252369514204, + "definition": { + "title": "Top 10 Debian Package Installed", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.package", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.groups:dpkg @data.dpkg_status:install $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 2, + "y": 0, + "width": 5, + "height": 4 + } + }, + { + "id": 7668126053378424, + "definition": { + "title": "Top 10 Debian Package Removed", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.package", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.groups:dpkg @data.dpkg_status:remove $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 7, + "y": 0, + "width": 5, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 45, + "width": 12, + "height": 1 + } + }, + { + "id": 4987188962040138, + "definition": { + "title": "Yum", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 178050723312040, + "definition": { + "title": "Total Yum Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:system @rule.groups:yum $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 2096218428893638, + "definition": { + "title": "Top 10 Yum Packages Installed", + "title_size": "16", + "title_align": "left", + "time": { + "hide_incomplete_cost_data": true + }, + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.package", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.groups:yum @data.yum_status:Installed $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 3103992120177378, + "definition": { + "title": "Top 10 Yum Package Updated", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.package", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.groups:yum @data.yum_status:Updated $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 2491992843098420, + "definition": { + "title": "Top 10 Yum Package Removed", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.package", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:system @rule.groups:yum @data.yum_status:Erased $Agent_Name $Manager_Name $Level $Service $Group" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 46, + "width": 12, + "height": 1 + } + }, + { + "id": 8513797087942712, + "definition": { + "title": "System Event Details", + "title_size": "16", + "title_align": "left", + "time": { + "hide_incomplete_cost_data": true + }, + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:system ", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "Agent_Name", + "prefix": "@agent.name", + "available_values": [], + "default": "*" + }, + { + "name": "Manager_Name", + "prefix": "@manager.name", + "available_values": [], + "default": "*" + }, + { + "name": "Level", + "prefix": "@rule.level", + "available_values": [ + "0", + "2", + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "12", + "13", + "14", + "15" + ], + "default": "*" + }, + { + "name": "Service", + "prefix": "service", + "available_values": [], + "default": "*" + }, + { + "name": "Group", + "prefix": "@rule.groups", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/wazuh/assets/dashboards/wazuh_vulnerability_detection.json b/wazuh/assets/dashboards/wazuh_vulnerability_detection.json new file mode 100644 index 0000000000000..e4144909640c3 --- /dev/null +++ b/wazuh/assets/dashboards/wazuh_vulnerability_detection.json @@ -0,0 +1,889 @@ +{ + "title": "Wazuh - Vulnerability Detection", + "description": "Vulnerability Detection dashboard provides comprehensive insights into vulnerabilities found in system by Wazuh.", + "widgets": [ + { + "id": 3241695104934894, + "definition": { + "type": "image", + "url": "https://wazuh.com/brand-assets/Wazuh-Logo.png", + "url_dark_theme": "https://wazuh.com/wp-content/themes/wazuh-v3/assets/images/trademark-and-brand-policy/Wazuh-logo-dark-backgroud.png", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 5, + "height": 3 + } + }, + { + "id": 7731090086808488, + "definition": { + "title": "Vulnerability Detection Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 995966523828360, + "definition": { + "title": "Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:vulnerability-detector $Agent_Name $Manager_Name $Level $Vulnerability_Status $Vulnerability_Severity" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 7, + "height": 3 + } + }, + { + "id": 2346227907404976, + "definition": { + "title": "Total Events Count", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:vulnerability-detector $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 3 + } + }, + { + "id": 4929464656402316, + "definition": { + "title": "Events Distribution by Vulnerability Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.vulnerability.status", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:vulnerability-detector $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 3, + "y": 3, + "width": 4, + "height": 3 + } + } + ] + }, + "layout": { + "x": 5, + "y": 0, + "width": 7, + "height": 7 + } + }, + { + "id": 3722981187393880, + "definition": { + "type": "note", + "content": "**Dashboard Overview**\n\nVulnerability Detection dashboard provides comprehensive insights into vulnerabilities found in system by Wazuh.\n\nFor more information, see the [Wazuh Integration Documentation](https://docs.datadoghq.com/integrations/wazuh/)\n\nTips:\n - Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify and add widgets and visualizations.\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 3, + "width": 5, + "height": 4 + } + }, + { + "id": 3142797663078644, + "definition": { + "title": "Vulnerability Detection Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1547241309851244, + "definition": { + "title": "Total Critical Severity Vulnerability Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:vulnerability-detector @data.vulnerability.severity:Critical $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 6089716315812684, + "definition": { + "title": "Total High Severity Vulnerability Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:vulnerability-detector @data.vulnerability.severity:High $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 5165112387972246, + "definition": { + "title": "Total Medium Severity Vulnerability Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:vulnerability-detector @data.vulnerability.severity:Medium $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 2245291057741448, + "definition": { + "title": "Total Low Severity Vulnerability Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:wazuh service:vulnerability-detector @data.vulnerability.severity:Low $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 3 + } + }, + { + "id": 2718749144291254, + "definition": { + "title": "Top 10 Latest Critical Vulnerability", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.vulnerability.cve", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@timestamp", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:vulnerability-detector @data.vulnerability.status:Active @data.vulnerability.severity:Critical $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "order_by": [ + { + "type": "group", + "name": "@timestamp", + "order": "desc" + } + ], + "count": 100 + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 3, + "width": 8, + "height": 3 + } + }, + { + "id": 4792903542761758, + "definition": { + "title": "Top 10 CVE", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.vulnerability.cve", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:vulnerability-detector $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 6, + "height": 4 + } + }, + { + "id": 8489421953906876, + "definition": { + "title": "Top 10 Agents with Vulnerability", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@agent.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:vulnerability-detector $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 6, + "width": 6, + "height": 4 + } + }, + { + "id": 8596195345126224, + "definition": { + "title": "Top 10 Vulnerability Assigner", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.vulnerability.assigner", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:vulnerability-detector $Agent_Name $Manager_Name $Level $Vulnerability_Status $Vulnerability_Severity" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 4, + "height": 4 + } + }, + { + "id": 3667365058893686, + "definition": { + "title": " Packages Affected by Vulnerability", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@data.vulnerability.package.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@data.vulnerability.severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:wazuh service:vulnerability-detector $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 4, + "y": 10, + "width": 8, + "height": 4 + } + }, + { + "id": 1144249679581738, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:wazuh service:vulnerability-detector $Vulnerability_Severity $Vulnerability_Status $Level $Manager_Name $Agent_Name ", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "agent.name", + "width": "auto" + }, + { + "field": "rule.level", + "width": "auto" + }, + { + "field": "rule.id", + "width": "auto" + }, + { + "field": "rule.groups", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 14, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 7, + "width": 12, + "height": 19 + } + } + ], + "template_variables": [ + { + "name": "Agent_Name", + "prefix": "@agent.name", + "available_values": [], + "default": "*" + }, + { + "name": "Manager_Name", + "prefix": "@manager.name", + "available_values": [], + "default": "*" + }, + { + "name": "Level", + "prefix": "@rule.level", + "available_values": [ + "0", + "2", + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "12", + "13", + "14", + "15" + ], + "default": "*" + }, + { + "name": "Vulnerability_Status", + "prefix": "@data.vulnerability.status", + "available_values": [], + "default": "*" + }, + { + "name": "Vulnerability_Severity", + "prefix": "@data.vulnerability.severity", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/wazuh/assets/logs/wazuh.yaml b/wazuh/assets/logs/wazuh.yaml new file mode 100644 index 0000000000000..5ae1941f3ce16 --- /dev/null +++ b/wazuh/assets/logs/wazuh.yaml @@ -0,0 +1,471 @@ +id: wazuh +metric_id: wazuh +backend_only: false +facets: + - groups: + - Web Access + name: URL Path + path: http.url + source: log + - groups: + - Web Access + name: URL Host + path: http.url_details.host + source: log + - groups: + - Web Access + name: URL Path + path: http.url_details.path + source: log + - groups: + - Web Access + name: URL Port + path: http.url_details.port + source: log + - groups: + - Web Access + name: URL scheme + path: http.url_details.scheme + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log + - groups: + - User + name: User Email + path: usr.email + source: log + - groups: + - User + name: User ID + path: usr.id + source: log + - groups: + - User + name: User Name + path: usr.name + source: log +pipeline: + type: pipeline + name: Wazuh + enabled: true + filter: + query: "source:wazuh" + processors: + - type: grok-parser + name: Parsing wazuh alerts + enabled: true + source: message + samples: + - '<132>Sep 13 13:21:06 ub20-host ossec: + {"timestamp":"2024-09-13T13:21:06.262+0530","rule":{"level":3,"description":"Successful + sudo to ROOT + executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege + Escalation","Defense Evasion"],"technique":["Sudo and Sudo + Caching"]},"firedtimes":3,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"ub20-host"},"manager":{"name":"ub20-host"},"id":"1726213866.2869025","full_log":"Sep + 13 13:21:04 ub20-host sudo: root : TTY=pts/13 ; PWD=/home/devuser + ; USER=root ; COMMAND=/usr/bin/nano + /var/ossec/etc/ossec.conf","predecoder":{"program_name":"sudo","timestamp":"Sep + 13 + 13:21:04","hostname":"ub20-host"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First + time user executed the sudo + command"},"data":{"srcuser":"root","dstuser":"root","tty":"pts/13","pwd":"/home/devuser","command":"/usr/bin/nano + /var/ossec/etc/ossec.conf"},"location":"/var/log/auth.log"}' + - '<132>Sep 13 06:57:24 ub20-host ossec: + {"timestamp":"2024-09-13T06:57:24.370+0530","rule":{"level":7,"description":"New + dpkg (Debian Package) + installed.","id":"2902","firedtimes":4,"mail":false,"groups":["syslog","dpkg","config_changed"],"pci_dss":["10.6.1","10.2.7"],"gpg13":["4.10"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14"],"tsc":["CC7.2","CC7.3","CC6.8","CC8.1"]},"agent":{"id":"000","name":"ub20-host"},"manager":{"name":"ub20-host"},"id":"1726190844.1166546","full_log":"2024-09-13 + 06:57:23 status installed python3-setuptools:all + 59.6.0-1.2ubuntu0.22.04.2","decoder":{"name":"dpkg-decoder"},"data":{"dpkg_status":"status + installed","package":"python3-setuptools","arch":"all","version":"59.6.0-1.2ubuntu0.22.04.2"},"location":"/var/log/dpkg.log"}' + - '<132>Sep 12 17:26:07 ub20-host ossec: + {"timestamp":"2024-09-12T17:26:07.096+0530","rule":{"level":5,"description":"sshd: + Attempt to login using a non-existent + user","id":"5710","firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"009","name":"test","ip":"10.10.10.10"},"manager":{"name":"ub20-host"},"id":"1726142167.5280471","full_log":"Sep + 12 17:26:06 test sshd[648303]: Disconnecting invalid user admin + 10.10.10.10 port 65182: Too many authentication failures + [preauth]","predecoder":{"program_name":"sshd","timestamp":"Sep 12 + 17:26:06","hostname":"test"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"10.10.10.10","srcport":"65182","srcuser":"admin"},"location":"/var/log/auth.log"}' + - '<132>Sep 12 15:52:53 ub20-host ossec: + {"timestamp":"2024-09-12T15:52:53.997+0530","rule":{"level":3,"description":"CIS + Ubuntu Linux 22.04 LTS Benchmark v1.0.0.: Ensure all groups in + /etc/passwd exist in + /etc/group.","id":"19008","firedtimes":161,"mail":false,"groups":["sca"],"gdpr":["IV_35.7.d"],"pci_dss":["2.2"],"nist_800_53":["CM.1"],"tsc":["CC7.1","CC7.2"],"cis":["6.2.3"],"mitre_mitigations":["M1027"],"mitre_tactics":["TA0003"],"mitre_techniques":["T1222","T1222.002"]},"agent":{"id":"009","name":"test","ip":"10.10.10.10"},"manager":{"name":"ub20-host"},"id":"1726136573.4870334","decoder":{"name":"sca"},"data":{"sca":{"type":"check","scan_id":"305863468","policy":"CIS + Ubuntu Linux 22.04 LTS Benchmark + v1.0.0.","check":{"id":"28680","title":"Ensure all groups in + /etc/passwd exist in /etc/group.","description":"Over time, system + administration errors and changes can lead to groups being defined in + /etc/passwd but not in /etc/group.","rationale":"Groups defined in the + /etc/passwd file but not in the /etc/group file pose a threat to + system security since group permissions are not properly + managed.","remediation":"Analyze the output of the Audit step above + and perform the appropriate action to correct any discrepancies + found.","compliance":{"cis":"6.2.3","mitre_mitigations":"M1027","mitre_tactics":"TA0003","mitre_techniques":"T1222,T1222.002"},"file":["/etc/group"],"result":"passed"}}},"location":"sca"}' + - '<132>Sep 13 12:06:18 ub20-host ossec: + {"timestamp":"2024-09-13T12:06:18.798+0530","rule":{"level":3,"description":"Service + startup type was changed","id":"61104","info":"This does not appear to + be logged on Windows + 2000","firedtimes":2,"mail":false,"groups":["windows","windows_system","policy_changed"],"pci_dss":["10.6"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"007","name":"win1-1-1-1","ip":"10.10.10.10"},"manager":{"name":"ub20-host"},"id":"1726209378.2623069","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Service + Control + Manager","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Service + Control + Manager","eventID":"7040","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2024-09-13T06:36:17.6181876Z","eventRecordID":"8694","processID":"832","threadID":"10120","channel":"System","computer":"win1-1-1-1","severityValue":"INFORMATION","message":"\"The + start type of the Background Intelligent Transfer Service service was + changed from auto start to demand + start.\""},"eventdata":{"param1":"Background Intelligent Transfer + Service","param2":"auto start","param3":"demand + start","param4":"BITS"}}},"location":"EventChannel"}' + grok: + supportRules: "" + matchRules: 'wazuh_alert_parsing_rule (<%{integer}>)?(%{date("MMM d + HH:mm:ss")}|%{date("MMM d HH:mm:ss")}) + %{notSpace:syslog.hostname:nullIf("-")} + %{notSpace:syslog.appname:nullIf("-")}: %{data::json}' + - name: Assign `status` attribute from `rule.level` value + enabled: true + source: rule.level + target: status + lookupTable: |- + 0,information + 1,information + 2,information + 3,information + 4,information + 5,information + 6,information + 7,warning + 8,warning + 9,warning + 10,warning + 11,warning + 12,error + 13,error + 14,error + 15,critical + type: lookup-processor + - type: date-remapper + name: Define `timestamp` as the official date of the log + enabled: true + sources: + - timestamp + - type: category-processor + name: Define `service` from `rule.groups` + enabled: true + categories: + - filter: + query: "@rule.groups:syscheck" + name: file-integrity-monitoring + - filter: + query: "@rule.groups:github" + name: github + - filter: + query: "@rule.groups:gcp" + name: google-cloud + - filter: + query: "@rule.groups:amazon" + name: amazon + - filter: + query: "@rule.groups:office365" + name: office365 + - filter: + query: "@rule.groups:docker" + name: docker + - filter: + query: "@rule.groups:vulnerability-detector" + name: vulnerability-detector + - filter: + query: "@rule.groups:rootcheck" + name: malware-detector + - filter: + query: "@rule.groups:(sshd OR pam OR wazuh OR ossec OR su OR sudo OR adduser OR + ftpd OR windows OR dpkg OR yum OR syslog)" + name: system + target: service + - type: category-processor + name: Define `service` value as `other` for other rule groups + enabled: true + categories: + - filter: + query: -@service:(file-integrity-monitoring OR vulnerability-detector OR + malware-detector OR github OR google-cloud OR amazon OR office365 + OR docker OR system) + name: other + target: service + - type: service-remapper + name: Define `service` as the official service of the log + enabled: true + sources: + - service + - type: attribute-remapper + name: Map `data.github.actor` to `usr.name` + enabled: true + sources: + - data.github.actor + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.gcp.jsonPayload.sourceIP` to `network.client.ip` + enabled: true + sources: + - data.gcp.jsonPayload.sourceIP + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.office365.UserId` to `usr.email` + enabled: true + sources: + - data.office365.UserId + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.office365.ClientIP` to `network.client.ip` + enabled: true + sources: + - data.office365.ClientIP + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.src_ip` to `network.client.ip` + enabled: true + sources: + - data.src_ip + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.srcip` to `network.client.ip` + enabled: true + sources: + - data.srcip + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.srcport` to `network.client.port` + enabled: true + sources: + - data.srcport + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.uid` to `usr.id` + enabled: true + sources: + - data.uid + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.srcuser` to `usr.name` + enabled: true + sources: + - data.srcuser + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.dstip` to `network.destination.ip` + enabled: true + sources: + - data.dstip + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.dstport` to `network.destination.port` + enabled: true + sources: + - data.dstport + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.src_port` to `network.client.port` + enabled: true + sources: + - data.src_port + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `data.url` to `http.url` + enabled: true + sources: + - data.url + sourceType: attribute + target: http.url + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: status-remapper + name: Define `status` as the official status of the log + enabled: true + sources: + - status + - type: geo-ip-parser + name: Define `network.client.ip` as default geoip attribute for source + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: geo-ip-parser + name: Define `network.destination.ip` as default geoip attribute for destination + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - type: url-parser + name: Extracts information from `http.url` + enabled: true + sources: + - http.url + target: http.url_details + normalizeEndingSlashes: false + - type: pipeline + name: Processing of Yum Logs + enabled: true + filter: + query: "@rule.groups:yum" + processors: + - type: grok-parser + name: Parse yum logs + enabled: true + source: full_log + samples: + - "Dec 17 07:05:06 ax yum: Installed: libX11-devel - + 1.0.3-9.el5.i386" + - "Oct 8 07:17:27 ax yum[61038]: Erased: + file-roller-3.28.1-2.el7.x86_64" + - | + Aug 20 12:46:57 Installed: device-mapper-event.i386 1.02.24-1.el5 + - "Aug 20 12:51:21 Erased: libhugetlbfs-lib" + - | + Aug 20 12:45:56 Updated: perl.i386 4:5.8.8-10.el5_2.3 + grok: + supportRules: |- + DATETIME (%{date("MMM d HH:mm:ss"):}|%{date("MMM dd HH:mm:ss"):}) + SKIPHEADER %{regex("[^:]*"):} + matchRules: >- + yum_package_parsing_rule %{DATETIME} %{SKIPHEADER}: + %{word:data.yum_status}: %{data:data.package} + + + yum_package_parsing_rule_2 %{DATETIME} %{word:data.yum_status}: %{data:data.package} diff --git a/wazuh/assets/logs/wazuh_tests.yaml b/wazuh/assets/logs/wazuh_tests.yaml new file mode 100644 index 0000000000000..91fe5f8076346 --- /dev/null +++ b/wazuh/assets/logs/wazuh_tests.yaml @@ -0,0 +1,912 @@ +id: wazuh +tests: + - + sample: |- + <132>Sep 23 05:55:30 ub22-50-1-173 ossec: {"timestamp":"2024-09-23T05:55:30","rule":{"level":5,"description":"Registry Value Integrity Checksum Changed","id":"750","mitre":{"id":["T1565.001","T1112"],"tactic":["Impact","Defense Evasion"],"technique":["Stored Data Manipulation","Modify Registry"]},"firedtimes":11,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_registry"],"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"007","name":"WIN11-50-10-210","ip":"10.40.1.245"},"manager":{"name":"ub22-50-1-173"},"id":"1727051130.307309","full_log":"Registry Value '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-407847833-942180688-1368611096-1010\\\\Device\\HarddiskVolume3\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' modified + Mode: scheduled + Changed attributes: md5,sha1,sha256 + Old md5sum was: '4846b4c5616e0c64cb5b8e819ab04f89' + New md5sum is : '0ee93c27cf42e2da3604b882ee45532b' + Old sha1sum was: 'f532d82856fe2caa1855cfac46db8ef15a86e89c' + New sha1sum is : '19c0cef959812a95c7ac12d465ec400df796f952' + Old sha256sum was: '578954f71e55ba6b255e4cdb349bb7c1f981eeeb04ed05f7ad1855a8f389d2c9' + New sha256sum is : 'da42382c2410098d76ebee82fc73a696224433c82deff26fb5ff1c796b3f7bdc' + ","syscheck":{"path":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-407847833-942180688-1368611096-1010","mode":"scheduled","arch":"[x32]","value_name":"\\Device\\HarddiskVolume3\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","value_type":"REG_BINARY","size_after":"24","md5_before":"4846b4c5616e0c64cb5b8e819ab04f89","md5_after":"0ee93c27cf42e2da3604b882ee45532b","sha1_before":"f532d82856fe2caa1855cfac46db8ef15a86e89c","sha1_after":"19c0cef959812a95c7ac12d465ec400df796f952","sha256_before":"578954f71e55ba6b255e4cdb349bb7c1f981eeeb04ed05f7ad1855a8f389d2c9","sha256_after":"da42382c2410098d76ebee82fc73a696224433c82deff26fb5ff1c796b3f7bdc","changed_attributes":["md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_registry_value_modified"},"location":"syscheck"} + service: "file-integrity-monitoring" + result: + custom: + agent: + id: "007" + ip: "10.40.1.245" + name: "WIN11-50-10-210" + decoder: + name: "syscheck_registry_value_modified" + full_log: | + Registry Value '[x32] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-407847833-942180688-1368611096-1010\\Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' modified + Mode: scheduled + Changed attributes: md5,sha1,sha256 + Old md5sum was: '4846b4c5616e0c64cb5b8e819ab04f89' + New md5sum is : '0ee93c27cf42e2da3604b882ee45532b' + Old sha1sum was: 'f532d82856fe2caa1855cfac46db8ef15a86e89c' + New sha1sum is : '19c0cef959812a95c7ac12d465ec400df796f952' + Old sha256sum was: '578954f71e55ba6b255e4cdb349bb7c1f981eeeb04ed05f7ad1855a8f389d2c9' + New sha256sum is : 'da42382c2410098d76ebee82fc73a696224433c82deff26fb5ff1c796b3f7bdc' + id: "1727051130.307309" + location: "syscheck" + manager: + name: "ub22-50-1-173" + rule: + description: "Registry Value Integrity Checksum Changed" + firedtimes: 11 + gdpr: + - "II_5.1.f" + gpg13: + - "4.13" + groups: + - "ossec" + - "syscheck" + - "syscheck_entry_modified" + - "syscheck_registry" + hipaa: + - "164.312.c.1" + - "164.312.c.2" + id: "750" + level: 5 + mail: false + mitre: + id: + - "T1565.001" + - "T1112" + tactic: + - "Impact" + - "Defense Evasion" + technique: + - "Stored Data Manipulation" + - "Modify Registry" + nist_800_53: + - "SI.7" + pci_dss: + - "11.5" + tsc: + - "PI1.4" + - "PI1.5" + - "CC6.1" + - "CC6.8" + - "CC7.2" + - "CC7.3" + service: "file-integrity-monitoring" + status: "information" + syscheck: + arch: "[x32]" + changed_attributes: + - "md5" + - "sha1" + - "sha256" + event: "modified" + md5_after: "0ee93c27cf42e2da3604b882ee45532b" + md5_before: "4846b4c5616e0c64cb5b8e819ab04f89" + mode: "scheduled" + path: "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-407847833-942180688-1368611096-1010" + sha1_after: "19c0cef959812a95c7ac12d465ec400df796f952" + sha1_before: "f532d82856fe2caa1855cfac46db8ef15a86e89c" + sha256_after: "da42382c2410098d76ebee82fc73a696224433c82deff26fb5ff1c796b3f7bdc" + sha256_before: "578954f71e55ba6b255e4cdb349bb7c1f981eeeb04ed05f7ad1855a8f389d2c9" + size_after: "24" + value_name: "\\Device\\HarddiskVolume3\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" + value_type: "REG_BINARY" + syslog: + appname: "ossec" + hostname: "ub22-50-1-173" + timestamp: "2024-09-23T05:55:30" + message: |- + <132>Sep 23 05:55:30 ub22-50-1-173 ossec: {"timestamp":"2024-09-23T05:55:30","rule":{"level":5,"description":"Registry Value Integrity Checksum Changed","id":"750","mitre":{"id":["T1565.001","T1112"],"tactic":["Impact","Defense Evasion"],"technique":["Stored Data Manipulation","Modify Registry"]},"firedtimes":11,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_registry"],"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"007","name":"WIN11-50-10-210","ip":"10.40.1.245"},"manager":{"name":"ub22-50-1-173"},"id":"1727051130.307309","full_log":"Registry Value '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-407847833-942180688-1368611096-1010\\\\Device\\HarddiskVolume3\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' modified + Mode: scheduled + Changed attributes: md5,sha1,sha256 + Old md5sum was: '4846b4c5616e0c64cb5b8e819ab04f89' + New md5sum is : '0ee93c27cf42e2da3604b882ee45532b' + Old sha1sum was: 'f532d82856fe2caa1855cfac46db8ef15a86e89c' + New sha1sum is : '19c0cef959812a95c7ac12d465ec400df796f952' + Old sha256sum was: '578954f71e55ba6b255e4cdb349bb7c1f981eeeb04ed05f7ad1855a8f389d2c9' + New sha256sum is : 'da42382c2410098d76ebee82fc73a696224433c82deff26fb5ff1c796b3f7bdc' + ","syscheck":{"path":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\S-1-5-21-407847833-942180688-1368611096-1010","mode":"scheduled","arch":"[x32]","value_name":"\\Device\\HarddiskVolume3\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","value_type":"REG_BINARY","size_after":"24","md5_before":"4846b4c5616e0c64cb5b8e819ab04f89","md5_after":"0ee93c27cf42e2da3604b882ee45532b","sha1_before":"f532d82856fe2caa1855cfac46db8ef15a86e89c","sha1_after":"19c0cef959812a95c7ac12d465ec400df796f952","sha256_before":"578954f71e55ba6b255e4cdb349bb7c1f981eeeb04ed05f7ad1855a8f389d2c9","sha256_after":"da42382c2410098d76ebee82fc73a696224433c82deff26fb5ff1c796b3f7bdc","changed_attributes":["md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_registry_value_modified"},"location":"syscheck"} + service: "file-integrity-monitoring" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1727070930000 + - sample: '<132>Sep 19 08:25:04 ub20 ossec: + {"timestamp":"2024-09-19T08:25:04.210+0530","rule":{"level":7,"description":"Dpkg + (Debian Package) half + configured.","id":"2904","firedtimes":7,"mail":false,"groups":["syslog","dpkg","config_changed"],"pci_dss":["10.6.1","10.2.7"],"gpg13":["4.10"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6","AU.14"],"tsc":["CC7.2","CC7.3","CC6.8","CC8.1"]},"agent":{"id":"000","name":"ub20"},"manager":{"name":"ub20"},"id":"1726714504.1044193","full_log":"2024-09-19 + 08:25:02 status half-configured linux-headers-5.15.0-119:all + 5.15.0-119.129","decoder":{"name":"dpkg-decoder"},"data":{"dpkg_status":"status + half-configured","package":"linux-headers-5.15.0-119","arch":"all","version":"5.15.0-119.129"},"location":"/var/log/dpkg.log"}' + result: + custom: + agent: + id: "000" + name: "ub20" + data: + arch: "all" + dpkg_status: "status half-configured" + package: "linux-headers-5.15.0-119" + version: "5.15.0-119.129" + decoder: + name: "dpkg-decoder" + full_log: "2024-09-19 08:25:02 status half-configured linux-headers-5.15.0-119:all 5.15.0-119.129" + id: "1726714504.1044193" + location: "/var/log/dpkg.log" + manager: + name: "ub20" + rule: + description: "Dpkg (Debian Package) half configured." + firedtimes: 7 + gdpr: + - "IV_35.7.d" + gpg13: + - "4.10" + groups: + - "syslog" + - "dpkg" + - "config_changed" + hipaa: + - "164.312.b" + id: "2904" + level: 7 + mail: false + nist_800_53: + - "AU.6" + - "AU.14" + pci_dss: + - "10.6.1" + - "10.2.7" + tsc: + - "CC7.2" + - "CC7.3" + - "CC6.8" + - "CC8.1" + service: "system" + status: "warning" + syslog: + appname: "ossec" + hostname: "ub20" + timestamp: "2024-09-19T08:25:04.210+0530" + message: "<132>Sep 19 08:25:04 ub20 ossec: {\"timestamp\":\"2024-09-19T08:25:04.210+0530\",\"rule\":{\"level\":7,\"description\":\"Dpkg (Debian Package) half configured.\",\"id\":\"2904\",\"firedtimes\":7,\"mail\":false,\"groups\":[\"syslog\",\"dpkg\",\"config_changed\"],\"pci_dss\":[\"10.6.1\",\"10.2.7\"],\"gpg13\":[\"4.10\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\",\"AU.14\"],\"tsc\":[\"CC7.2\",\"CC7.3\",\"CC6.8\",\"CC8.1\"]},\"agent\":{\"id\":\"000\",\"name\":\"ub20\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726714504.1044193\",\"full_log\":\"2024-09-19 08:25:02 status half-configured linux-headers-5.15.0-119:all 5.15.0-119.129\",\"decoder\":{\"name\":\"dpkg-decoder\"},\"data\":{\"dpkg_status\":\"status half-configured\",\"package\":\"linux-headers-5.15.0-119\",\"arch\":\"all\",\"version\":\"5.15.0-119.129\"},\"location\":\"/var/log/dpkg.log\"}" + service: "system" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726714504210 + - sample: '<132>Sep 18 16:05:21 ub20 ossec: + {"timestamp":"2024-09-18T16:05:21.609+0530","rule":{"level":3,"description":"PAM: + Login session + closed.","id":"5502","firedtimes":5,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"ub20"},"manager":{"name":"ub20"},"id":"1726655721.947358","full_log":"Sep + 18 16:05:20 ub20 su: pam_unix(su:session): session closed for + user root","predecoder":{"program_name":"su","timestamp":"Sep 18 + 16:05:20","hostname":"ub20"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}' + result: + custom: + agent: + id: "000" + name: "ub20" + data: + dstuser: "root" + decoder: + name: "pam" + parent: "pam" + full_log: "Sep 18 16:05:20 ub20 su: pam_unix(su:session): session closed for user root" + id: "1726655721.947358" + location: "/var/log/auth.log" + manager: + name: "ub20" + predecoder: + hostname: "ub20" + program_name: "su" + timestamp: "Sep 18 16:05:20" + rule: + description: "PAM: Login session closed." + firedtimes: 5 + gdpr: + - "IV_32.2" + gpg13: + - "7.8" + - "7.9" + groups: + - "pam" + - "syslog" + hipaa: + - "164.312.b" + id: "5502" + level: 3 + mail: false + nist_800_53: + - "AU.14" + - "AC.7" + pci_dss: + - "10.2.5" + tsc: + - "CC6.8" + - "CC7.2" + - "CC7.3" + service: "system" + status: "information" + syslog: + appname: "ossec" + hostname: "ub20" + timestamp: "2024-09-18T16:05:21.609+0530" + message: "<132>Sep 18 16:05:21 ub20 ossec: {\"timestamp\":\"2024-09-18T16:05:21.609+0530\",\"rule\":{\"level\":3,\"description\":\"PAM: Login session closed.\",\"id\":\"5502\",\"firedtimes\":5,\"mail\":false,\"groups\":[\"pam\",\"syslog\"],\"pci_dss\":[\"10.2.5\"],\"gpg13\":[\"7.8\",\"7.9\"],\"gdpr\":[\"IV_32.2\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.14\",\"AC.7\"],\"tsc\":[\"CC6.8\",\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"000\",\"name\":\"ub20\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726655721.947358\",\"full_log\":\"Sep 18 16:05:20 ub20 su: pam_unix(su:session): session closed for user root\",\"predecoder\":{\"program_name\":\"su\",\"timestamp\":\"Sep 18 16:05:20\",\"hostname\":\"ub20\"},\"decoder\":{\"parent\":\"pam\",\"name\":\"pam\"},\"data\":{\"dstuser\":\"root\"},\"location\":\"/var/log/auth.log\"}" + service: "system" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726655721609 + - + sample: "<132>Sep 20 01:30:20 ub20 ossec: {\"timestamp\":\"2024-09-20T01:30:20.439+0530\",\"rule\":{\"level\":7,\"description\":\"Host-based anomaly detection event (rootcheck).\",\"id\":\"510\",\"firedtimes\":2,\"mail\":false,\"groups\":[\"ossec\",\"rootcheck\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"]},\"agent\":{\"id\":\"000\",\"name\":\"ub20\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726776020.112790\",\"full_log\":\"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\\\.h|proc\\\\.h|/dev/[^n]|^/bin/.*sh' (Generic).\",\"decoder\":{\"name\":\"rootcheck\"},\"data\":{\"title\":\"Trojaned version of file detected.\",\"file\":\"/usr/bin/diff\"},\"location\":\"rootcheck\"}" + result: + custom: + agent: + id: "000" + name: "ub20" + data: + file: "/usr/bin/diff" + title: "Trojaned version of file detected." + decoder: + name: "rootcheck" + full_log: "Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic)." + id: "1726776020.112790" + location: "rootcheck" + manager: + name: "ub20" + rule: + description: "Host-based anomaly detection event (rootcheck)." + firedtimes: 2 + gdpr: + - "IV_35.7.d" + groups: + - "ossec" + - "rootcheck" + id: "510" + level: 7 + mail: false + pci_dss: + - "10.6.1" + service: "malware-detector" + status: "warning" + syslog: + appname: "ossec" + hostname: "ub20" + timestamp: "2024-09-20T01:30:20.439+0530" + message: "<132>Sep 20 01:30:20 ub20 ossec: {\"timestamp\":\"2024-09-20T01:30:20.439+0530\",\"rule\":{\"level\":7,\"description\":\"Host-based anomaly detection event (rootcheck).\",\"id\":\"510\",\"firedtimes\":2,\"mail\":false,\"groups\":[\"ossec\",\"rootcheck\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"]},\"agent\":{\"id\":\"000\",\"name\":\"ub20\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726776020.112790\",\"full_log\":\"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\\\.h|proc\\\\.h|/dev/[^n]|^/bin/.*sh' (Generic).\",\"decoder\":{\"name\":\"rootcheck\"},\"data\":{\"title\":\"Trojaned version of file detected.\",\"file\":\"/usr/bin/diff\"},\"location\":\"rootcheck\"}" + service: "malware-detector" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726776020439 + - + sample: "<132>Sep 18 15:47:37 ub20 ossec: {\"timestamp\":\"2024-09-18T15:47:37.787+0530\",\"rule\":{\"level\":7,\"description\":\"New Yum package installed.\",\"id\":\"2932\",\"firedtimes\":8,\"mail\":false,\"groups\":[\"syslog\",\"yum\",\"config_changed\"],\"pci_dss\":[\"10.6.1\",\"10.2.7\"],\"gpg13\":[\"4.10\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\",\"AU.14\"],\"tsc\":[\"CC7.2\",\"CC7.3\",\"CC6.8\",\"CC8.1\"]},\"agent\":{\"id\":\"010\",\"name\":\"co7\",\"ip\":\"10.10.10.10\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726654657.842337\",\"full_log\":\"Sep 18 15:47:36 co7 yum[28968]: Installed: libX11-devel-1.6.7-5.el7_9.x86_64\",\"predecoder\":{\"program_name\":\"yum\",\"timestamp\":\"Sep 18 15:47:36\",\"hostname\":\"co7\"},\"decoder\":{},\"location\":\"/var/log/messages\"}" + result: + custom: + agent: + id: "010" + ip: "10.10.10.10" + name: "co7" + data: + package: "libX11-devel-1.6.7-5.el7_9.x86_64" + yum_status: "Installed" + full_log: "Sep 18 15:47:36 co7 yum[28968]: Installed: libX11-devel-1.6.7-5.el7_9.x86_64" + id: "1726654657.842337" + location: "/var/log/messages" + manager: + name: "ub20" + predecoder: + hostname: "co7" + program_name: "yum" + timestamp: "Sep 18 15:47:36" + rule: + description: "New Yum package installed." + firedtimes: 8 + gdpr: + - "IV_35.7.d" + gpg13: + - "4.10" + groups: + - "syslog" + - "yum" + - "config_changed" + hipaa: + - "164.312.b" + id: "2932" + level: 7 + mail: false + nist_800_53: + - "AU.6" + - "AU.14" + pci_dss: + - "10.6.1" + - "10.2.7" + tsc: + - "CC7.2" + - "CC7.3" + - "CC6.8" + - "CC8.1" + service: "system" + status: "warning" + syslog: + appname: "ossec" + hostname: "ub20" + timestamp: "2024-09-18T15:47:37.787+0530" + message: "<132>Sep 18 15:47:37 ub20 ossec: {\"timestamp\":\"2024-09-18T15:47:37.787+0530\",\"rule\":{\"level\":7,\"description\":\"New Yum package installed.\",\"id\":\"2932\",\"firedtimes\":8,\"mail\":false,\"groups\":[\"syslog\",\"yum\",\"config_changed\"],\"pci_dss\":[\"10.6.1\",\"10.2.7\"],\"gpg13\":[\"4.10\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\",\"AU.14\"],\"tsc\":[\"CC7.2\",\"CC7.3\",\"CC6.8\",\"CC8.1\"]},\"agent\":{\"id\":\"010\",\"name\":\"co7\",\"ip\":\"10.10.10.10\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726654657.842337\",\"full_log\":\"Sep 18 15:47:36 co7 yum[28968]: Installed: libX11-devel-1.6.7-5.el7_9.x86_64\",\"predecoder\":{\"program_name\":\"yum\",\"timestamp\":\"Sep 18 15:47:36\",\"hostname\":\"co7\"},\"decoder\":{},\"location\":\"/var/log/messages\"}" + service: "system" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726654657787 + - + sample: "<132>Sep 16 16:58:16 Debian ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-16T16:58:16.015398+05:30\", \"rule\": {\"firedtimes\": 27, \"mail\": false, \"level\": 3, \"description\": \"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 10.10.10.10] [Port: 80]\", \"groups\": [\"amazon\", \"aws\", \"aws_guardduty\"], \"id\": \"80305\"}, \"agent\": {\"id\": \"007\", \"name\": \"Debian\", \"ip\": \"10.10.10.10\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {\"name\": \"json\"}, \"data\": {\"aws\": {\"severity\": \"2\", \"schemaVersion\": \"2.0\", \"resource\": {\"resourceType\": \"Instance\", \"instanceDetails\": {\"launchTime\": \"2019-03-22T14:15:41Z\", \"instanceId\": \"i-0cab4a083d57dc400\", \"networkInterfaces\": {\"networkInterfaceId\": \"eni-0bb465b2d939dbda6\", \"subnetId\": \"subnet-6b1d6203\", \"vpcId\": \"vpc-921e61fa\", \"privateDnsName\": \"ip-10-0-0-1.ec2.internal\", \"publicIp\": \"10.10.10.10\", \"publicDnsName\": \"ec2-10.10.10.10.compute-1.amazonaws.com\", \"privateIpAddress\": \"10.0.0.1\"}, \"instanceState\": \"running\", \"imageId\": \"ami-09ae67bbfcd740875\", \"instanceType\": \"a1.medium\", \"imageDescription\": \"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12\", \"productCodes\": {\"productCodeId\": \"zud1u4kjmxu2j2jf0n36bqa\", \"productCodeType\": \"marketplace\"}, \"iamInstanceProfile\": {\"id\": \"AIPAJGAZMFPZHKIBOUFGA\", \"arn\": \"arn:aws:iam::150447125201:instance-profile/opsworks-web-production\"}, \"availabilityZone\": \"us-east-1e\"}}, \"description\": \"EC2 instance has an unprotected port which is being probed by a known malicious host.\", \"source\": \"guardduty\", \"type\": \"Recon:EC2/PortProbeUnprotectedPort\", \"title\": \"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.\", \"partition\": \"aws\", \"service\": {\"archived\": \"false\", \"resourceRole\": \"TARGET\", \"detectorId\": \"cab38390b400c06fb2897dfcebffb80d\", \"additionalInfo\": {\"threatListName\": \"ProofPoint\", \"threatName\": \"Scanner\"}, \"count\": \"2115\", \"action\": {\"actionType\": \"PORT_PROBE\", \"portProbeAction\": {\"blocked\": \"false\", \"portProbeDetails\": {\"localPortDetails\": {\"port\": \"80\", \"portName\": \"HTTP\"}, \"remoteIpDetails\": {\"country\": {\"countryName\": \"Mexico\"}, \"city\": {\"cityName\": \"M\\u00e9rida\"}, \"geoLocation\": {\"lon\": \"-89.616700\", \"lat\": \"20.950000\"}, \"organization\": {\"asnOrg\": \"Internet Mexico Company\", \"org\": \"Internet Mexico Company\", \"isp\": \"Internet Mexico Company\", \"asn\": \"4257\"}, \"ipAddressV4\": \"10.10.10.10\"}}}}, \"serviceName\": \"guardduty\", \"eventFirstSeen\": \"2024-08-28T05:41:44.820Z\", \"eventLastSeen\": \"2024-08-31T05:41:44.820Z\"}, \"region\": \"eu-west-1\", \"accountId\": \"18773455640\", \"log_info\": {\"s3bucket\": \"aws-sample-bucket-2\", \"log_file\": \"guardduty/2024/08/31/05/firehose_guardduty-1-2024-08-31-05-41-44-820b5b9b-ec62-4a07-85d7-b1699b9c031e.zip\"}, \"createdAt\": \"2024-08-28T05:41:44.820Z\"}, \"integration\": \"aws\"}, \"location\": \"Wazuh-AWS\", \"input\": {\"type\": \"log\"}, \"GeoLocation\": {\"country_name\": \"Germany\", \"location\": {\"lat\": 52.524, \"lon\": 13.411}, \"region_name\": \"Berlin\", \"city_name\": \"Berlin\"}}" + result: + custom: + '@sampledata': true + GeoLocation: + city_name: "Berlin" + country_name: "Germany" + location: + lat: 52.524 + lon: 13.411 + region_name: "Berlin" + agent: + id: "007" + ip: "10.10.10.10" + name: "Debian" + cluster: + name: "wazuh" + data: + aws: + accountId: "18773455640" + createdAt: "2024-08-28T05:41:44.820Z" + description: "EC2 instance has an unprotected port which is being probed by a known malicious host." + log_info: + log_file: "guardduty/2024/08/31/05/firehose_guardduty-1-2024-08-31-05-41-44-820b5b9b-ec62-4a07-85d7-b1699b9c031e.zip" + s3bucket: "aws-sample-bucket-2" + partition: "aws" + region: "eu-west-1" + resource: + instanceDetails: + availabilityZone: "us-east-1e" + iamInstanceProfile: + arn: "arn:aws:iam::150447125201:instance-profile/opsworks-web-production" + id: "AIPAJGAZMFPZHKIBOUFGA" + imageDescription: "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12" + imageId: "ami-09ae67bbfcd740875" + instanceId: "i-0cab4a083d57dc400" + instanceState: "running" + instanceType: "a1.medium" + launchTime: "2019-03-22T14:15:41Z" + networkInterfaces: + networkInterfaceId: "eni-0bb465b2d939dbda6" + privateDnsName: "ip-10-0-0-1.ec2.internal" + privateIpAddress: "10.0.0.1" + publicDnsName: "ec2-10.10.10.10.compute-1.amazonaws.com" + publicIp: "10.10.10.10" + subnetId: "subnet-6b1d6203" + vpcId: "vpc-921e61fa" + productCodes: + productCodeId: "zud1u4kjmxu2j2jf0n36bqa" + productCodeType: "marketplace" + resourceType: "Instance" + schemaVersion: "2.0" + service: + action: + actionType: "PORT_PROBE" + portProbeAction: + blocked: "false" + portProbeDetails: + localPortDetails: + port: "80" + portName: "HTTP" + remoteIpDetails: + city: + cityName: "Mérida" + country: + countryName: "Mexico" + geoLocation: + lat: "20.950000" + lon: "-89.616700" + ipAddressV4: "10.10.10.10" + organization: + asn: "4257" + asnOrg: "Internet Mexico Company" + isp: "Internet Mexico Company" + org: "Internet Mexico Company" + additionalInfo: + threatListName: "ProofPoint" + threatName: "Scanner" + archived: "false" + count: "2115" + detectorId: "cab38390b400c06fb2897dfcebffb80d" + eventFirstSeen: "2024-08-28T05:41:44.820Z" + eventLastSeen: "2024-08-31T05:41:44.820Z" + resourceRole: "TARGET" + serviceName: "guardduty" + severity: "2" + source: "guardduty" + title: "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed." + type: "Recon:EC2/PortProbeUnprotectedPort" + integration: "aws" + decoder: + name: "json" + id: "1580123327.49031" + input: + type: "log" + location: "Wazuh-AWS" + manager: + name: "ub20" + rule: + description: "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 10.10.10.10] [Port: 80]" + firedtimes: 27 + groups: + - "amazon" + - "aws" + - "aws_guardduty" + id: "80305" + level: 3 + mail: false + service: "amazon" + status: "information" + syslog: + appname: "ossec" + hostname: "Debian" + timestamp: "2024-09-16T16:58:16.015398+05:30" + message: "<132>Sep 16 16:58:16 Debian ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-16T16:58:16.015398+05:30\", \"rule\": {\"firedtimes\": 27, \"mail\": false, \"level\": 3, \"description\": \"AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 10.10.10.10] [Port: 80]\", \"groups\": [\"amazon\", \"aws\", \"aws_guardduty\"], \"id\": \"80305\"}, \"agent\": {\"id\": \"007\", \"name\": \"Debian\", \"ip\": \"10.10.10.10\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {\"name\": \"json\"}, \"data\": {\"aws\": {\"severity\": \"2\", \"schemaVersion\": \"2.0\", \"resource\": {\"resourceType\": \"Instance\", \"instanceDetails\": {\"launchTime\": \"2019-03-22T14:15:41Z\", \"instanceId\": \"i-0cab4a083d57dc400\", \"networkInterfaces\": {\"networkInterfaceId\": \"eni-0bb465b2d939dbda6\", \"subnetId\": \"subnet-6b1d6203\", \"vpcId\": \"vpc-921e61fa\", \"privateDnsName\": \"ip-10-0-0-1.ec2.internal\", \"publicIp\": \"10.10.10.10\", \"publicDnsName\": \"ec2-10.10.10.10.compute-1.amazonaws.com\", \"privateIpAddress\": \"10.0.0.1\"}, \"instanceState\": \"running\", \"imageId\": \"ami-09ae67bbfcd740875\", \"instanceType\": \"a1.medium\", \"imageDescription\": \"Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12\", \"productCodes\": {\"productCodeId\": \"zud1u4kjmxu2j2jf0n36bqa\", \"productCodeType\": \"marketplace\"}, \"iamInstanceProfile\": {\"id\": \"AIPAJGAZMFPZHKIBOUFGA\", \"arn\": \"arn:aws:iam::150447125201:instance-profile/opsworks-web-production\"}, \"availabilityZone\": \"us-east-1e\"}}, \"description\": \"EC2 instance has an unprotected port which is being probed by a known malicious host.\", \"source\": \"guardduty\", \"type\": \"Recon:EC2/PortProbeUnprotectedPort\", \"title\": \"Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.\", \"partition\": \"aws\", \"service\": {\"archived\": \"false\", \"resourceRole\": \"TARGET\", \"detectorId\": \"cab38390b400c06fb2897dfcebffb80d\", \"additionalInfo\": {\"threatListName\": \"ProofPoint\", \"threatName\": \"Scanner\"}, \"count\": \"2115\", \"action\": {\"actionType\": \"PORT_PROBE\", \"portProbeAction\": {\"blocked\": \"false\", \"portProbeDetails\": {\"localPortDetails\": {\"port\": \"80\", \"portName\": \"HTTP\"}, \"remoteIpDetails\": {\"country\": {\"countryName\": \"Mexico\"}, \"city\": {\"cityName\": \"M\\u00e9rida\"}, \"geoLocation\": {\"lon\": \"-89.616700\", \"lat\": \"20.950000\"}, \"organization\": {\"asnOrg\": \"Internet Mexico Company\", \"org\": \"Internet Mexico Company\", \"isp\": \"Internet Mexico Company\", \"asn\": \"4257\"}, \"ipAddressV4\": \"10.10.10.10\"}}}}, \"serviceName\": \"guardduty\", \"eventFirstSeen\": \"2024-08-28T05:41:44.820Z\", \"eventLastSeen\": \"2024-08-31T05:41:44.820Z\"}, \"region\": \"eu-west-1\", \"accountId\": \"18773455640\", \"log_info\": {\"s3bucket\": \"aws-sample-bucket-2\", \"log_file\": \"guardduty/2024/08/31/05/firehose_guardduty-1-2024-08-31-05-41-44-820b5b9b-ec62-4a07-85d7-b1699b9c031e.zip\"}, \"createdAt\": \"2024-08-28T05:41:44.820Z\"}, \"integration\": \"aws\"}, \"location\": \"Wazuh-AWS\", \"input\": {\"type\": \"log\"}, \"GeoLocation\": {\"country_name\": \"Germany\", \"location\": {\"lat\": 52.524, \"lon\": 13.411}, \"region_name\": \"Berlin\", \"city_name\": \"Berlin\"}}" + service: "amazon" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726486096015 + - + sample: "<132>Sep 17 10:25:49 Amazon ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-17T10:25:49.352657+05:30\", \"rule\": {\"level\": 3, \"description\": \"GitHub Git push.\", \"id\": \"91160\", \"firedtimes\": 2, \"mail\": false, \"groups\": [\"github\", \"git\", \"git_git\"]}, \"agent\": {\"id\": \"002\", \"name\": \"Amazon\", \"ip\": \"10.10.10.10\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {\"name\": \"json\"}, \"data\": {\"github\": {\"actor\": \"User1\", \"@timestamp\": \"2024-08-30T17:23:47.725+0000\", \"org\": \"Organization1\", \"repo\": \"Organization1/Repo7\", \"actor_location\": {\"country_code\": \"DE\"}, \"action\": \"git.push\", \"transport_protocol_name\": \"http\", \"transport_protocol\": \"1\", \"repository\": \"Organization1/Repo1\", \"repository_public\": \"false\"}}, \"location\": \"github\"}" + result: + custom: + '@sampledata': true + agent: + id: "002" + ip: "10.10.10.10" + name: "Amazon" + cluster: + name: "wazuh" + data: + github: + '@timestamp': "2024-08-30T17:23:47.725+0000" + action: "git.push" + actor_location: + country_code: "DE" + org: "Organization1" + repo: "Organization1/Repo7" + repository: "Organization1/Repo1" + repository_public: "false" + transport_protocol: "1" + transport_protocol_name: "http" + decoder: + name: "json" + id: "1580123327.49031" + location: "github" + manager: + name: "ub20" + rule: + description: "GitHub Git push." + firedtimes: 2 + groups: + - "github" + - "git" + - "git_git" + id: "91160" + level: 3 + mail: false + service: "github" + status: "information" + syslog: + appname: "ossec" + hostname: "Amazon" + timestamp: "2024-09-17T10:25:49.352657+05:30" + usr: + name: "User1" + message: "<132>Sep 17 10:25:49 Amazon ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-17T10:25:49.352657+05:30\", \"rule\": {\"level\": 3, \"description\": \"GitHub Git push.\", \"id\": \"91160\", \"firedtimes\": 2, \"mail\": false, \"groups\": [\"github\", \"git\", \"git_git\"]}, \"agent\": {\"id\": \"002\", \"name\": \"Amazon\", \"ip\": \"10.10.10.10\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {\"name\": \"json\"}, \"data\": {\"github\": {\"actor\": \"User1\", \"@timestamp\": \"2024-08-30T17:23:47.725+0000\", \"org\": \"Organization1\", \"repo\": \"Organization1/Repo7\", \"actor_location\": {\"country_code\": \"DE\"}, \"action\": \"git.push\", \"transport_protocol_name\": \"http\", \"transport_protocol\": \"1\", \"repository\": \"Organization1/Repo1\", \"repository_public\": \"false\"}}, \"location\": \"github\"}" + service: "github" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726548949352 + - + sample: "<132>Sep 18 20:41:50 ub20 ossec: {\"timestamp\":\"2024-09-18T20:41:50.115+0530\",\"rule\":{\"level\":10,\"description\":\"CVE-2023-43787 affects libX11-devel\",\"id\":\"23505\",\"firedtimes\":12,\"mail\":false,\"groups\":[\"vulnerability-detector\"],\"gdpr\":[\"IV_35.7.d\"],\"pci_dss\":[\"11.2.1\",\"11.2.3\"],\"tsc\":[\"CC7.1\",\"CC7.2\"]},\"agent\":{\"id\":\"010\",\"name\":\"co7\",\"ip\":\"10.10.10.10\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726672310.1698045\",\"decoder\":{\"name\":\"json\"},\"data\":{\"vulnerability\":{\"assigner\":\"redhat\",\"cve\":\"CVE-2023-43787\",\"cvss\":{\"cvss3\":{\"base_score\":\"7.800000\",\"vector\":{\"availability\":\"HIGH\",\"confidentiality_impact\":\"HIGH\",\"integrity_impact\":\"HIGH\",\"privileges_required\":\"LOW\",\"scope\":\"UNCHANGED\",\"user_interaction\":\"NONE\"}}},\"cwe_reference\":\"CWE-122\",\"enumeration\":\"CVE\",\"package\":{\"architecture\":\"x86_64\",\"condition\":\"Package default status\",\"name\":\"libX11-devel\",\"source\":\" \",\"version\":\"1.6.7-5.el7_9\"},\"published\":\"2023-10-10T13:15:22Z\",\"rationale\":\"A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.\",\"reference\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2242254, https://access.redhat.com/security/cve/CVE-2023-43787, http://www.openwall.com/lists/oss-security/2024/01/24/9, https://access.redhat.com/errata/RHSA-2024:2145, https://access.redhat.com/errata/RHSA-2024:2973, https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/, https://security.netapp.com/advisory/ntap-20231103-0006/\",\"severity\":\"High\",\"status\":\"Active\",\"title\":\"CVE-2023-43787 affects libX11-devel\",\"type\":\"Packages\",\"updated\":\"2024-05-22T17:16:05Z\"}},\"location\":\"vulnerability-detector\"}" + result: + custom: + agent: + id: "010" + ip: "10.10.10.10" + name: "co7" + data: + vulnerability: + assigner: "redhat" + cve: "CVE-2023-43787" + cvss: + cvss3: + base_score: "7.800000" + vector: + availability: "HIGH" + confidentiality_impact: "HIGH" + integrity_impact: "HIGH" + privileges_required: "LOW" + scope: "UNCHANGED" + user_interaction: "NONE" + cwe_reference: "CWE-122" + enumeration: "CVE" + package: + architecture: "x86_64" + condition: "Package default status" + name: "libX11-devel" + source: " " + version: "1.6.7-5.el7_9" + published: "2023-10-10T13:15:22Z" + rationale: "A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges." + reference: "https://bugzilla.redhat.com/show_bug.cgi?id=2242254, https://access.redhat.com/security/cve/CVE-2023-43787, http://www.openwall.com/lists/oss-security/2024/01/24/9, https://access.redhat.com/errata/RHSA-2024:2145, https://access.redhat.com/errata/RHSA-2024:2973, https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/, https://security.netapp.com/advisory/ntap-20231103-0006/" + severity: "High" + status: "Active" + title: "CVE-2023-43787 affects libX11-devel" + type: "Packages" + updated: "2024-05-22T17:16:05Z" + decoder: + name: "json" + id: "1726672310.1698045" + location: "vulnerability-detector" + manager: + name: "ub20" + rule: + description: "CVE-2023-43787 affects libX11-devel" + firedtimes: 12 + gdpr: + - "IV_35.7.d" + groups: + - "vulnerability-detector" + id: "23505" + level: 10 + mail: false + pci_dss: + - "11.2.1" + - "11.2.3" + tsc: + - "CC7.1" + - "CC7.2" + service: "vulnerability-detector" + status: "warning" + syslog: + appname: "ossec" + hostname: "ub20" + timestamp: "2024-09-18T20:41:50.115+0530" + message: "<132>Sep 18 20:41:50 ub20 ossec: {\"timestamp\":\"2024-09-18T20:41:50.115+0530\",\"rule\":{\"level\":10,\"description\":\"CVE-2023-43787 affects libX11-devel\",\"id\":\"23505\",\"firedtimes\":12,\"mail\":false,\"groups\":[\"vulnerability-detector\"],\"gdpr\":[\"IV_35.7.d\"],\"pci_dss\":[\"11.2.1\",\"11.2.3\"],\"tsc\":[\"CC7.1\",\"CC7.2\"]},\"agent\":{\"id\":\"010\",\"name\":\"co7\",\"ip\":\"10.10.10.10\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726672310.1698045\",\"decoder\":{\"name\":\"json\"},\"data\":{\"vulnerability\":{\"assigner\":\"redhat\",\"cve\":\"CVE-2023-43787\",\"cvss\":{\"cvss3\":{\"base_score\":\"7.800000\",\"vector\":{\"availability\":\"HIGH\",\"confidentiality_impact\":\"HIGH\",\"integrity_impact\":\"HIGH\",\"privileges_required\":\"LOW\",\"scope\":\"UNCHANGED\",\"user_interaction\":\"NONE\"}}},\"cwe_reference\":\"CWE-122\",\"enumeration\":\"CVE\",\"package\":{\"architecture\":\"x86_64\",\"condition\":\"Package default status\",\"name\":\"libX11-devel\",\"source\":\" \",\"version\":\"1.6.7-5.el7_9\"},\"published\":\"2023-10-10T13:15:22Z\",\"rationale\":\"A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.\",\"reference\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2242254, https://access.redhat.com/security/cve/CVE-2023-43787, http://www.openwall.com/lists/oss-security/2024/01/24/9, https://access.redhat.com/errata/RHSA-2024:2145, https://access.redhat.com/errata/RHSA-2024:2973, https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/, https://security.netapp.com/advisory/ntap-20231103-0006/\",\"severity\":\"High\",\"status\":\"Active\",\"title\":\"CVE-2023-43787 affects libX11-devel\",\"type\":\"Packages\",\"updated\":\"2024-05-22T17:16:05Z\"}},\"location\":\"vulnerability-detector\"}" + service: "vulnerability-detector" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726672310115 + - + sample: "<132>Sep 16 16:17:37 Ubuntu ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-17T11:30:16.015304+05:30\", \"rule\": {\"level\": 5, \"description\": \"GCP notice event with source IP 10.10.10.10 from europe-west1 with response code NXDOMAIN\", \"id\": \"65010\", \"firedtimes\": 2, \"mail\": true, \"groups\": [\"gcp\"]}, \"agent\": {\"id\": \"004\", \"name\": \"Ubuntu\", \"ip\": \"10.10.10.10\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {}, \"data\": {\"integration\": \"gcp\", \"gcp\": {\"insertId\": \"uk1zpe23xcj\", \"jsonPayload\": {\"authAnswer\": \"true\", \"protocol\": \"UDP\", \"queryName\": \"41.212.95.203.in-addr.arpa\", \"queryType\": \"A\", \"responseCode\": \"NXDOMAIN\", \"sourceIP\": \"10.10.10.10\", \"vmInstanceId\": \"4980113928800839680.000000\", \"vmInstanceName\": \"531339229531.instance-1\"}, \"logName\": \"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries\", \"receiveTimestamp\": \"2019-11-11T02:42:05.05853152Z\", \"resource\": {\"labels\": {\"location\": \"us-central1\", \"project_id\": \"wazuh-test\", \"source_type\": \"gce-vm\", \"target_type\": \"external\"}, \"type\": \"dns_query\"}, \"severity\": \"CRITICAL\", \"timestamp\": \"2019-11-11T02:42:04.34921449Z\"}}, \"location\": \"\", \"GeoLocation\": {\"country_name\": \"Australia\", \"location\": {\"lat\": -33.8678513, \"lon\": 151.2073212}, \"region_name\": \"Sydney\", \"city_name\": \"Sydney\"}}" + result: + custom: + '@sampledata': true + GeoLocation: + city_name: "Sydney" + country_name: "Australia" + location: + lat: -33.8678513 + lon: 151.2073212 + region_name: "Sydney" + agent: + id: "004" + ip: "10.10.10.10" + name: "Ubuntu" + cluster: + name: "wazuh" + data: + gcp: + insertId: "uk1zpe23xcj" + jsonPayload: + authAnswer: "true" + protocol: "UDP" + queryName: "41.212.95.203.in-addr.arpa" + queryType: "A" + responseCode: "NXDOMAIN" + vmInstanceId: "4980113928800839680.000000" + vmInstanceName: "531339229531.instance-1" + logName: "projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries" + receiveTimestamp: "2019-11-11T02:42:05.05853152Z" + resource: + labels: + location: "us-central1" + project_id: "wazuh-test" + source_type: "gce-vm" + target_type: "external" + type: "dns_query" + severity: "CRITICAL" + timestamp: "2019-11-11T02:42:04.34921449Z" + integration: "gcp" + id: "1580123327.49031" + location: "" + manager: + name: "ub20" + network: + client: + geoip: {} + ip: "10.10.10.10" + rule: + description: "GCP notice event with source IP 10.10.10.10 from europe-west1 with response code NXDOMAIN" + firedtimes: 2 + groups: + - "gcp" + id: "65010" + level: 5 + mail: true + service: "google-cloud" + status: "information" + syslog: + appname: "ossec" + hostname: "Ubuntu" + timestamp: "2024-09-17T11:30:16.015304+05:30" + message: "<132>Sep 16 16:17:37 Ubuntu ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-17T11:30:16.015304+05:30\", \"rule\": {\"level\": 5, \"description\": \"GCP notice event with source IP 10.10.10.10 from europe-west1 with response code NXDOMAIN\", \"id\": \"65010\", \"firedtimes\": 2, \"mail\": true, \"groups\": [\"gcp\"]}, \"agent\": {\"id\": \"004\", \"name\": \"Ubuntu\", \"ip\": \"10.10.10.10\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {}, \"data\": {\"integration\": \"gcp\", \"gcp\": {\"insertId\": \"uk1zpe23xcj\", \"jsonPayload\": {\"authAnswer\": \"true\", \"protocol\": \"UDP\", \"queryName\": \"41.212.95.203.in-addr.arpa\", \"queryType\": \"A\", \"responseCode\": \"NXDOMAIN\", \"sourceIP\": \"10.10.10.10\", \"vmInstanceId\": \"4980113928800839680.000000\", \"vmInstanceName\": \"531339229531.instance-1\"}, \"logName\": \"projects/wazuh-dev/logs/dns.googleapis.com%2Fdns_queries\", \"receiveTimestamp\": \"2019-11-11T02:42:05.05853152Z\", \"resource\": {\"labels\": {\"location\": \"us-central1\", \"project_id\": \"wazuh-test\", \"source_type\": \"gce-vm\", \"target_type\": \"external\"}, \"type\": \"dns_query\"}, \"severity\": \"CRITICAL\", \"timestamp\": \"2019-11-11T02:42:04.34921449Z\"}}, \"location\": \"\", \"GeoLocation\": {\"country_name\": \"Australia\", \"location\": {\"lat\": -33.8678513, \"lon\": 151.2073212}, \"region_name\": \"Sydney\", \"city_name\": \"Sydney\"}}" + service: "google-cloud" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726552816015 + - + sample: "<132>Sep 17 12:09:39 ub20 ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-17T12:09:39.565041+05:30\", \"rule\": {\"level\": 3, \"description\": \"Office 365: Data Insights REST API events.\", \"id\": \"91580\", \"mail\": false, \"firedtimes\": 4, \"groups\": [\"office365\", \"DataInsightsRestApiAudit\", \"hipaa_164.312.b\", \"pci_dss_10.6.2\"]}, \"agent\": {\"id\": \"000\", \"ip\": \"10.10.10.10\", \"name\": \"ub20\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {\"name\": \"json\"}, \"data\": {\"integration\": \"Office365\", \"office365\": {\"CreationTime\": \"2024-08-29T20:06:43.482Z\", \"Id\": \"a0995136-91d8-4acf-8449-28c275ffb7e3\", \"Operation\": \"ValidaterbacAccessCheck\", \"OrganizationId\": \"ce013f05-a783-4186-9d85-5a14998b6111\", \"RecordType\": 52, \"UserKey\": \"d36253fb-24a1-481c-a199-f778534ccb5f\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"UserId\": \"frank@wazuh.com\", \"AadAppId\": \"d6fdaa33-e821-4211-83d0-cf74736489e1\", \"DataType\": \"rbacAccessCheck\", \"RelativeUrl\": \"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b\", \"ResultCount\": \"0\", \"Subscription\": \"Audit.General\", \"ResultStatus\": \"Failed\", \"ObjectId\": \"d14aa5cb-b070-42f8-8709-0f8afd942fc0\", \"ClientIP\": \"10.10.10.10\"}}, \"location\": \"office365\", \"GeoLocation\": {\"country_name\": \"England\", \"location\": {\"lat\": 51.5085297, \"lon\": -0.12574}, \"region_name\": \"London\", \"city_name\": \"London\"}}" + result: + custom: + '@sampledata': true + GeoLocation: + city_name: "London" + country_name: "England" + location: + lat: 51.5085297 + lon: -0.12574 + region_name: "London" + agent: + id: "000" + ip: "10.10.10.10" + name: "ub20" + cluster: + name: "wazuh" + data: + integration: "Office365" + office365: + AadAppId: "d6fdaa33-e821-4211-83d0-cf74736489e1" + CreationTime: "2024-08-29T20:06:43.482Z" + DataType: "rbacAccessCheck" + Id: "a0995136-91d8-4acf-8449-28c275ffb7e3" + ObjectId: "d14aa5cb-b070-42f8-8709-0f8afd942fc0" + Operation: "ValidaterbacAccessCheck" + OrganizationId: "ce013f05-a783-4186-9d85-5a14998b6111" + RecordType: 52 + RelativeUrl: "/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b" + ResultCount: "0" + ResultStatus: "Failed" + Subscription: "Audit.General" + UserKey: "d36253fb-24a1-481c-a199-f778534ccb5f" + UserType: 0 + Version: 1 + Workload: "SecurityComplianceCenter" + decoder: + name: "json" + id: "1580123327.49031" + location: "office365" + manager: + name: "ub20" + network: + client: + geoip: {} + ip: "10.10.10.10" + rule: + description: "Office 365: Data Insights REST API events." + firedtimes: 4 + groups: + - "office365" + - "DataInsightsRestApiAudit" + - "hipaa_164.312.b" + - "pci_dss_10.6.2" + id: "91580" + level: 3 + mail: false + service: "office365" + status: "information" + syslog: + appname: "ossec" + hostname: "ub20" + timestamp: "2024-09-17T12:09:39.565041+05:30" + usr: + email: "frank@wazuh.com" + message: "<132>Sep 17 12:09:39 ub20 ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-17T12:09:39.565041+05:30\", \"rule\": {\"level\": 3, \"description\": \"Office 365: Data Insights REST API events.\", \"id\": \"91580\", \"mail\": false, \"firedtimes\": 4, \"groups\": [\"office365\", \"DataInsightsRestApiAudit\", \"hipaa_164.312.b\", \"pci_dss_10.6.2\"]}, \"agent\": {\"id\": \"000\", \"ip\": \"10.10.10.10\", \"name\": \"ub20\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {\"name\": \"json\"}, \"data\": {\"integration\": \"Office365\", \"office365\": {\"CreationTime\": \"2024-08-29T20:06:43.482Z\", \"Id\": \"a0995136-91d8-4acf-8449-28c275ffb7e3\", \"Operation\": \"ValidaterbacAccessCheck\", \"OrganizationId\": \"ce013f05-a783-4186-9d85-5a14998b6111\", \"RecordType\": 52, \"UserKey\": \"d36253fb-24a1-481c-a199-f778534ccb5f\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"UserId\": \"frank@wazuh.com\", \"AadAppId\": \"d6fdaa33-e821-4211-83d0-cf74736489e1\", \"DataType\": \"rbacAccessCheck\", \"RelativeUrl\": \"/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=0fea4e03-8146-453b-b889-54b4bd11565b\", \"ResultCount\": \"0\", \"Subscription\": \"Audit.General\", \"ResultStatus\": \"Failed\", \"ObjectId\": \"d14aa5cb-b070-42f8-8709-0f8afd942fc0\", \"ClientIP\": \"10.10.10.10\"}}, \"location\": \"office365\", \"GeoLocation\": {\"country_name\": \"England\", \"location\": {\"lat\": 51.5085297, \"lon\": -0.12574}, \"region_name\": \"London\", \"city_name\": \"London\"}}" + service: "office365" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726555179565 + - + sample: "<132>Sep 17 12:37:36 Debian ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-17T12:37:36.093817+05:30\", \"rule\": {\"firedtimes\": 1, \"mail\": false, \"level\": 3, \"description\": \"Docker: Network bridge connected\", \"groups\": [\"docker\"], \"id\": \"87928\"}, \"agent\": {\"id\": \"007\", \"name\": \"Debian\", \"ip\": \"10.10.10.10\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {}, \"data\": {\"integration\": \"docker\", \"docker\": {\"Action\": \"connect\", \"Type\": \"network\", \"Actor\": {\"Attributes\": {\"container\": \"4d193284273eda41a869c2ef22091d7e0492323b91d654f1bea09fcefde50c08\", \"name\": \"bridge\", \"type\": \"bridge\"}, \"ID\": \"128075e00d6a056b6454afaa183c3a2714f0307a848ee4dba0e095e0a29f086a\"}, \"scope\": \"local\", \"timeNano\": \"1587084599776133888.000000\", \"time\": \"1587084599\"}}, \"location\": \"\"}" + result: + custom: + '@sampledata': true + agent: + id: "007" + ip: "10.10.10.10" + name: "Debian" + cluster: + name: "wazuh" + data: + docker: + Action: "connect" + Actor: + Attributes: + container: "4d193284273eda41a869c2ef22091d7e0492323b91d654f1bea09fcefde50c08" + name: "bridge" + type: "bridge" + ID: "128075e00d6a056b6454afaa183c3a2714f0307a848ee4dba0e095e0a29f086a" + Type: "network" + scope: "local" + time: "1587084599" + timeNano: "1587084599776133888.000000" + integration: "docker" + id: "1580123327.49031" + location: "" + manager: + name: "ub20" + rule: + description: "Docker: Network bridge connected" + firedtimes: 1 + groups: + - "docker" + id: "87928" + level: 3 + mail: false + service: "docker" + status: "information" + syslog: + appname: "ossec" + hostname: "Debian" + timestamp: "2024-09-17T12:37:36.093817+05:30" + message: "<132>Sep 17 12:37:36 Debian ossec: {\"@sampledata\": true, \"timestamp\": \"2024-09-17T12:37:36.093817+05:30\", \"rule\": {\"firedtimes\": 1, \"mail\": false, \"level\": 3, \"description\": \"Docker: Network bridge connected\", \"groups\": [\"docker\"], \"id\": \"87928\"}, \"agent\": {\"id\": \"007\", \"name\": \"Debian\", \"ip\": \"10.10.10.10\"}, \"manager\": {\"name\": \"ub20\"}, \"cluster\": {\"name\": \"wazuh\"}, \"id\": \"1580123327.49031\", \"predecoder\": {}, \"decoder\": {}, \"data\": {\"integration\": \"docker\", \"docker\": {\"Action\": \"connect\", \"Type\": \"network\", \"Actor\": {\"Attributes\": {\"container\": \"4d193284273eda41a869c2ef22091d7e0492323b91d654f1bea09fcefde50c08\", \"name\": \"bridge\", \"type\": \"bridge\"}, \"ID\": \"128075e00d6a056b6454afaa183c3a2714f0307a848ee4dba0e095e0a29f086a\"}, \"scope\": \"local\", \"timeNano\": \"1587084599776133888.000000\", \"time\": \"1587084599\"}}, \"location\": \"\"}" + service: "docker" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726556856093 + - + sample: "<132>Sep 18 14:53:16 ub20 ossec: {\"timestamp\":\"2024-09-18T14:53:16.251+0530\",\"rule\":{\"level\":7,\"description\":\"SCA summary: CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0: Score less than 50% (33)\",\"id\":\"19004\",\"firedtimes\":1,\"mail\":false,\"groups\":[\"sca\"],\"gdpr\":[\"IV_35.7.d\"],\"pci_dss\":[\"2.2\"],\"nist_800_53\":[\"CM.1\"],\"tsc\":[\"CC7.1\",\"CC7.2\"]},\"agent\":{\"id\":\"005\",\"name\":\"DESKTOP-C1V1PSE\",\"ip\":\"10.10.10.10\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726651396.585956\",\"decoder\":{\"name\":\"sca\"},\"data\":{\"sca\":{\"type\":\"summary\",\"scan_id\":\"245628523\",\"policy\":\"CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0\",\"description\":\"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 10 Enterprise.\",\"policy_id\":\"cis_win10_enterprise\",\"passed\":\"131\",\"failed\":\"258\",\"invalid\":\"5\",\"total_checks\":\"394\",\"score\":\"33\",\"file\":\"cis_win10_enterprise.yml\"}},\"location\":\"sca\"}" + result: + custom: + agent: + id: "005" + ip: "10.10.10.10" + name: "DESKTOP-C1V1PSE" + data: + sca: + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 10 Enterprise." + failed: "258" + file: "cis_win10_enterprise.yml" + invalid: "5" + passed: "131" + policy: "CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0" + policy_id: "cis_win10_enterprise" + scan_id: "245628523" + score: "33" + total_checks: "394" + type: "summary" + decoder: + name: "sca" + id: "1726651396.585956" + location: "sca" + manager: + name: "ub20" + rule: + description: "SCA summary: CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0: Score less than 50% (33)" + firedtimes: 1 + gdpr: + - "IV_35.7.d" + groups: + - "sca" + id: "19004" + level: 7 + mail: false + nist_800_53: + - "CM.1" + pci_dss: + - "2.2" + tsc: + - "CC7.1" + - "CC7.2" + service: "other" + status: "warning" + syslog: + appname: "ossec" + hostname: "ub20" + timestamp: "2024-09-18T14:53:16.251+0530" + message: "<132>Sep 18 14:53:16 ub20 ossec: {\"timestamp\":\"2024-09-18T14:53:16.251+0530\",\"rule\":{\"level\":7,\"description\":\"SCA summary: CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0: Score less than 50% (33)\",\"id\":\"19004\",\"firedtimes\":1,\"mail\":false,\"groups\":[\"sca\"],\"gdpr\":[\"IV_35.7.d\"],\"pci_dss\":[\"2.2\"],\"nist_800_53\":[\"CM.1\"],\"tsc\":[\"CC7.1\",\"CC7.2\"]},\"agent\":{\"id\":\"005\",\"name\":\"DESKTOP-C1V1PSE\",\"ip\":\"10.10.10.10\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726651396.585956\",\"decoder\":{\"name\":\"sca\"},\"data\":{\"sca\":{\"type\":\"summary\",\"scan_id\":\"245628523\",\"policy\":\"CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0\",\"description\":\"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 10 Enterprise.\",\"policy_id\":\"cis_win10_enterprise\",\"passed\":\"131\",\"failed\":\"258\",\"invalid\":\"5\",\"total_checks\":\"394\",\"score\":\"33\",\"file\":\"cis_win10_enterprise.yml\"}},\"location\":\"sca\"}" + service: "other" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726651396251 + - + sample: "<132>Sep 18 15:31:44 ub20 ossec: {\"timestamp\":\"2024-09-18T15:31:44.788+0530\",\"rule\":{\"level\":5,\"description\":\"sshd: authentication failed.\",\"id\":\"5760\",\"mitre\":{\"id\":[\"T1110.001\",\"T1021.004\"],\"tactic\":[\"Credential Access\",\"Lateral Movement\"],\"technique\":[\"Password Guessing\",\"SSH\"]},\"firedtimes\":2,\"mail\":false,\"groups\":[\"syslog\",\"sshd\",\"authentication_failed\"],\"gdpr\":[\"IV_35.7.d\",\"IV_32.2\"],\"gpg13\":[\"7.1\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.14\",\"AC.7\"],\"pci_dss\":[\"10.2.4\",\"10.2.5\"],\"tsc\":[\"CC6.1\",\"CC6.8\",\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"010\",\"name\":\"co7\",\"ip\":\"10.10.10.10\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726653704.812551\",\"full_log\":\"Sep 18 15:31:43 co7 sshd[28830]: Failed password for devuser from 10.10.10.10 port 57137 ssh2\",\"predecoder\":{\"program_name\":\"sshd\",\"timestamp\":\"Sep 18 15:31:43\",\"hostname\":\"co7\"},\"decoder\":{\"parent\":\"sshd\",\"name\":\"sshd\"},\"data\":{\"srcip\":\"10.10.10.10\",\"srcport\":\"57137\",\"dstuser\":\"devuser\"},\"location\":\"/var/log/secure\"}" + result: + custom: + agent: + id: "010" + ip: "10.10.10.10" + name: "co7" + data: + dstuser: "devuser" + decoder: + name: "sshd" + parent: "sshd" + full_log: "Sep 18 15:31:43 co7 sshd[28830]: Failed password for devuser from 10.10.10.10 port 57137 ssh2" + id: "1726653704.812551" + location: "/var/log/secure" + manager: + name: "ub20" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: "57137" + predecoder: + hostname: "co7" + program_name: "sshd" + timestamp: "Sep 18 15:31:43" + rule: + description: "sshd: authentication failed." + firedtimes: 2 + gdpr: + - "IV_35.7.d" + - "IV_32.2" + gpg13: + - "7.1" + groups: + - "syslog" + - "sshd" + - "authentication_failed" + hipaa: + - "164.312.b" + id: "5760" + level: 5 + mail: false + mitre: + id: + - "T1110.001" + - "T1021.004" + tactic: + - "Credential Access" + - "Lateral Movement" + technique: + - "Password Guessing" + - "SSH" + nist_800_53: + - "AU.14" + - "AC.7" + pci_dss: + - "10.2.4" + - "10.2.5" + tsc: + - "CC6.1" + - "CC6.8" + - "CC7.2" + - "CC7.3" + service: "system" + status: "information" + syslog: + appname: "ossec" + hostname: "ub20" + timestamp: "2024-09-18T15:31:44.788+0530" + message: "<132>Sep 18 15:31:44 ub20 ossec: {\"timestamp\":\"2024-09-18T15:31:44.788+0530\",\"rule\":{\"level\":5,\"description\":\"sshd: authentication failed.\",\"id\":\"5760\",\"mitre\":{\"id\":[\"T1110.001\",\"T1021.004\"],\"tactic\":[\"Credential Access\",\"Lateral Movement\"],\"technique\":[\"Password Guessing\",\"SSH\"]},\"firedtimes\":2,\"mail\":false,\"groups\":[\"syslog\",\"sshd\",\"authentication_failed\"],\"gdpr\":[\"IV_35.7.d\",\"IV_32.2\"],\"gpg13\":[\"7.1\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.14\",\"AC.7\"],\"pci_dss\":[\"10.2.4\",\"10.2.5\"],\"tsc\":[\"CC6.1\",\"CC6.8\",\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"010\",\"name\":\"co7\",\"ip\":\"10.10.10.10\"},\"manager\":{\"name\":\"ub20\"},\"id\":\"1726653704.812551\",\"full_log\":\"Sep 18 15:31:43 co7 sshd[28830]: Failed password for devuser from 10.10.10.10 port 57137 ssh2\",\"predecoder\":{\"program_name\":\"sshd\",\"timestamp\":\"Sep 18 15:31:43\",\"hostname\":\"co7\"},\"decoder\":{\"parent\":\"sshd\",\"name\":\"sshd\"},\"data\":{\"srcip\":\"10.10.10.10\",\"srcport\":\"57137\",\"dstuser\":\"devuser\"},\"location\":\"/var/log/secure\"}" + service: "system" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726653704788 diff --git a/wazuh/assets/service_checks.json b/wazuh/assets/service_checks.json new file mode 100644 index 0000000000000..fe51488c7066f --- /dev/null +++ b/wazuh/assets/service_checks.json @@ -0,0 +1 @@ +[] diff --git a/wazuh/assets/wazuh.svg b/wazuh/assets/wazuh.svg new file mode 100644 index 0000000000000..4be537e5b4009 --- /dev/null +++ b/wazuh/assets/wazuh.svg @@ -0,0 +1,25 @@ + + + + + + + + + + + + + diff --git a/wazuh/changelog.d/18646.added b/wazuh/changelog.d/18646.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/wazuh/changelog.d/18646.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/wazuh/datadog_checks/__init__.py b/wazuh/datadog_checks/__init__.py new file mode 100644 index 0000000000000..1517d901c0aae --- /dev/null +++ b/wazuh/datadog_checks/__init__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2024-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__path__ = __import__('pkgutil').extend_path(__path__, __name__) # type: ignore diff --git a/wazuh/datadog_checks/wazuh/__about__.py b/wazuh/datadog_checks/wazuh/__about__.py new file mode 100644 index 0000000000000..e9541ce83e9e5 --- /dev/null +++ b/wazuh/datadog_checks/wazuh/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2024-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/wazuh/datadog_checks/wazuh/__init__.py b/wazuh/datadog_checks/wazuh/__init__.py new file mode 100644 index 0000000000000..e3e1909cdf383 --- /dev/null +++ b/wazuh/datadog_checks/wazuh/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2024-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/wazuh/datadog_checks/wazuh/data/conf.yaml.example b/wazuh/datadog_checks/wazuh/data/conf.yaml.example new file mode 100644 index 0000000000000..f6801265fd70f --- /dev/null +++ b/wazuh/datadog_checks/wazuh/data/conf.yaml.example @@ -0,0 +1,20 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: udp +# port: +# source: wazuh +# service: wazuh diff --git a/wazuh/images/wazuh-cloud-security.png b/wazuh/images/wazuh-cloud-security.png new file mode 100644 index 0000000000000..be70456fd75c2 Binary files /dev/null and b/wazuh/images/wazuh-cloud-security.png differ diff --git a/wazuh/images/wazuh-file-integrity-monitoring.png b/wazuh/images/wazuh-file-integrity-monitoring.png new file mode 100644 index 0000000000000..afe8e4c4e97e0 Binary files /dev/null and b/wazuh/images/wazuh-file-integrity-monitoring.png differ diff --git a/wazuh/images/wazuh-malware-detection.png b/wazuh/images/wazuh-malware-detection.png new file mode 100644 index 0000000000000..6a789e723310b Binary files /dev/null and b/wazuh/images/wazuh-malware-detection.png differ diff --git a/wazuh/images/wazuh-mitre-attack.png b/wazuh/images/wazuh-mitre-attack.png new file mode 100644 index 0000000000000..3f0e694469337 Binary files /dev/null and b/wazuh/images/wazuh-mitre-attack.png differ diff --git a/wazuh/images/wazuh-overview.png b/wazuh/images/wazuh-overview.png new file mode 100644 index 0000000000000..33079b2552406 Binary files /dev/null and b/wazuh/images/wazuh-overview.png differ diff --git a/wazuh/images/wazuh-security-operation.png b/wazuh/images/wazuh-security-operation.png new file mode 100644 index 0000000000000..e2ddd06ad989f Binary files /dev/null and b/wazuh/images/wazuh-security-operation.png differ diff --git a/wazuh/images/wazuh-system.png b/wazuh/images/wazuh-system.png new file mode 100644 index 0000000000000..0fbce64ec9c51 Binary files /dev/null and b/wazuh/images/wazuh-system.png differ diff --git a/wazuh/images/wazuh-vulnerability-detection.png b/wazuh/images/wazuh-vulnerability-detection.png new file mode 100644 index 0000000000000..9ff142927e082 Binary files /dev/null and b/wazuh/images/wazuh-vulnerability-detection.png differ diff --git a/wazuh/manifest.json b/wazuh/manifest.json new file mode 100644 index 0000000000000..b2cc7cc9e4472 --- /dev/null +++ b/wazuh/manifest.json @@ -0,0 +1,101 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "5b1e3f2f-419d-4d9d-bb00-002b58e28835", + "app_id": "wazuh", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into the Wazuh alerts.", + "title": "Wazuh", + "media": [ + { + "caption": "Wazuh - Cloud Security", + "image_url": "images/wazuh-cloud-security.png", + "media_type": "image" + }, + { + "caption": "Wazuh - File Integrity Monitoring", + "image_url": "images/wazuh-file-integrity-monitoring.png", + "media_type": "image" + }, + { + "caption": "Wazuh - Malware Detection", + "image_url": "images/wazuh-malware-detection.png", + "media_type": "image" + }, + { + "caption": "Wazuh - MITRE ATT&CK", + "image_url": "images/wazuh-mitre-attack.png", + "media_type": "image" + }, + { + "caption": "Wazuh - Overview", + "image_url": "images/wazuh-overview.png", + "media_type": "image" + }, + { + "caption": "Wazuh - Security Operations", + "image_url": "images/wazuh-security-operation.png", + "media_type": "image" + }, + { + "caption": "Wazuh - System", + "image_url": "images/wazuh-system.png", + "media_type": "image" + }, + { + "caption": "Wazuh - Vulnerability Detection", + "image_url": "images/wazuh-vulnerability-detection.png", + "media_type": "image" + } + ], + "classifier_tags": [ + "Supported OS::Linux", + "Supported OS::Windows", + "Supported OS::macOS", + "Category::Alerting", + "Category::Log Collection", + "Category::Security", + "Offering::Integration", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 26101213, + "source_type_name": "Wazuh", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + }, + "service_checks": { + "metadata_path": "assets/service_checks.json" + } + }, + "dashboards": { + "Wazuh - Overview": "assets/dashboards/wazuh_overview.json", + "Wazuh - File Integrity Monitoring": "assets/dashboards/wazuh_file_integrity_monitoring.json", + "Wazuh - Malware Detection": "assets/dashboards/wazuh_malware_detection.json", + "Wazuh - MITRE ATT&CK": "assets/dashboards/wazuh_MITRE_ATT&CK.json", + "Wazuh - Security Operations": "assets/dashboards/wazuh_security_operations.json", + "Wazuh - System": "assets/dashboards/wazuh_system.json", + "Wazuh - Vulnerability Detection": "assets/dashboards/wazuh_vulnerability_detection.json", + "Wazuh - Cloud Security": "assets/dashboards/wazuh_cloud_security.json" + }, + "logs": { + "source": "wazuh" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} \ No newline at end of file diff --git a/wazuh/pyproject.toml b/wazuh/pyproject.toml new file mode 100644 index 0000000000000..7356d30e21a67 --- /dev/null +++ b/wazuh/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-wazuh" +description = "The wazuh check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "wazuh", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.11", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=4.2.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/wazuh/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/wazuh", +] +dev-mode-dirs = [ + ".", +]