Skip to content

Latest commit

 

History

History
232 lines (173 loc) · 6.46 KB

README.md

File metadata and controls

232 lines (173 loc) · 6.46 KB

Wazuh-Indexer Module Awesome

Quickly search your logs with Wazuh-Indexer module to spot IoCs.

MIT License LinkedIn your-own-soc-free-for-life-tier youtube-channel


Logo

Wazuh-Indexer

SOCFortress provided DFIR-IRIS module.
Contact SOCFortress »

Intro

Currently supports the Wazuh-Indexer and Elasticsearch 7.10.1

Use the Wazuh-Indexer module to quickly search your logs with Wazuh-Indexer module to spot IoCs. This module is designed to help SOC analysts quickly spot any other endpoints that have the same IoCs associated with their ingested events.

The module is built for the below IoC types:

  • Ip Address
  • Domain
  • Sha256 Hash
  • Filename

The module can be configured to search any Index and looks for IoCs in the following fields:

  • dns_query
  • dst_ip
  • sha256
  • data_win_eventdata_targetFilename

You can configure the module to search any index and any fields you like.

Configuration




Results




Install

Currently, the Wazuh-Indexer module can be ran as DFIR-IRIS Module.

Get started with DFIR-IRIS: Video Tutorial

The below steps assume you already have your own DFIR-IRIS application up and running.

  1. Fetch the Wazuh-Indexer Module Repo
    git clone https://github.com/socfortress/iris-wazuhindexer-module
    cd iris-wazuhindexer-module
    
  2. Install the module
    ./buildnpush2iris.sh -a
    

Configuration

Once installed, configure the module to include:

  • Wazuh-Indexer Endpoint
  • Wazuh-Indexer Username (Read permissions for your desired index required)
  • Wazuh-Indexer Password
  • Index naming pattern (e.g. wazuh-alerts*)
  • Fields to search (e.g. dns_query, dst_ip, sha256, data_win_eventdata_targetFilename)
  1. Navigate to Advanced -> Modules

Advanced -> Modules




  1. Add a new module

Add a new module




  1. Input the Module name: iris_wazuhindexer_module

Input Module




  1. Configure the module

Configure Module




Running the Module

To run the module select Case -> IOC and select the dropdown menu.

Beta currently supports IoC of type: ip, domain, sha256, filename

IoC




Run Module




Refresh the webpage within your browser.

Auto refresh is coming soon

Issues?

If you are experiencing issues, please contact us at [email protected]