Custom Report

[Afika Fairuz]

Hi!
Before explain my question, first I want to apologize if this question have asked before, because I haven't seen similar question so I decided to directly ask this

wazuh can generate report but our company needed more detail on report for analysys and tracing etc

here I am attached what our company needed as report

hopefully there's a way to solve this or any alternative

Thank you before

regards 

[Facundo Mayon]

Hello ! Thanks for use Wazuh ! 

The way to perform a custom request it's using Kibana Discover section. I attached here some instructions to perform a custom query.

1. Go to Kibana->Discover section
2. Select inside the left panel Available fields the fields you want to export, e.g. agent.id, agent.ip and agent.name
3.. Press the Save option at the top right corner and set a name to the search.
4. Click the Reporting option and select View reports.
5. Create a new report definition, set the name, report source saved search and select your previously saved search. Then specify the time range.
6. You will obtain a CSV with all data inside Elasticsearch into a CSV. You can now analyze as you wish.I hope it helps you, don't hesitate to ask us if you have any doubt.

I'm investigating if it's possible to add the attacker IP and the  attacked port.

I will be back ASAP.

Hope this info could be helpful

Regards

[Facundo Mayon]

Hello again! 

I was reaching some information and I found these attributes to add to your custom report.

1) data.scrip (Attacker ip)

2) data.scrport (Attacked port)

One important consideration is that these fields are going to have data if the triggered alert took that information from the event.

For example, the Ssh brute force is an alert that has set the recognition of these attributes, I attach here the documentation about it. https://documentation.wazuh.com/current/learning-wazuh/ssh-brute-force.html.

Hope this info could be useful. If you need anything else be free to write again.

Regards.

Facundo Mayon

[Afika Fairuz]

Hi! Thank you for answering my question

It's really helping. I've try every steps You given, but there's something I didn't understand here

I've tried 5th step to generate CSV report, I've set the time range from 1st February till now, but when CSV generated, there's noting inside, just empty sheet.
Am I doing something wrong?
Here I Attached our discover and report setting

[Facundo Mayon]

Hi! I was reviewing the whole process and I could export a CSV with all the information. 
I attached here the example CSV file. Don't worry about the info, these agents are mocks that we create to test the app.

But checking your screenshots I think that I'm working with a newer kibana version. Could you share with me which version of kibana are you using?
Thanks and happy friday ! 

[Afika Fairuz]

I'm sorry but I couldn't find an example CSV from yours.

We are using v 7.10.2 of Kibana.
Should we updating to the newer version?

Thank you
Happy weekend

You can reply this at weekday, enjoy your free time

Regards

[Facundo Mayon]

Good morning, sorry for the delay to answer.

I replicated the same environment that you have with 7.10.2 and I have also problems generating the CSV. I think it's a possible bug on this Kibana version

The procedure to update Kibana version it's a bit hard, could you tell me which type of security are you using with Kibana 7.10.2?

[Adi Fauzi]

It's fine, hope you have a nice weekend

I've tried to upgrading from 7.10.2 to 7.17 in dev environment, but still looking what's wrong with it. I've checking running service, elasticsearch, kibana and wazuh manager is running but I couldn't access the GUI in browser. I'll continue to check the setting tomorrow.

Pardon if I miss understand your question. Our company is currently concern in cyber security and try to implement SOC. Trough many recommendation, we choose wazuh as our SIEM. As far now, we currently using features like a vulnerability assessment, security event and integrity monitoring.

We use report from security event and VA to take a decision to improve our system.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d2475e98-da77-48b9-aa0f-caae173de119n%40googlegroups.com.

[Facundo Mayon]

Good afternoon. 

Great to hear that you are upgrading the Kibana version. 

Regarding your chosen kibana version, right now the Wazuh app has no support to kibana 7.17, we are working on that, our goal is to have a new release 4.3 that supports at least Kibana 7.16.3, this should be available in a few weeks.

Our actual version is 4.2.5. I left here the link to the compatibility matrix so you can take a look at it https://github.com/wazuh/wazuh-kibana-app/tree/master#wazuh---kibana---open-distro-version-compatibility-matrix.

And regarding the question of the security that you are using I mean if you are using OpenDistro to access your actual kibana.

Regards

--

Facundo Mayon QA Software Engineer The Open Source Security Platform

[Adi Fauzi]

Thank you, I will check it out. 

Thank's for the answer, appreciate it 🙇🏻‍♂️

We'll wait for the update

[Facundo Mayon]

It was a pleasure. If I can help with anything else, please let me know.
Have a great day.

[Afika Fairuz]

Hello again
Sorry if I keep asking a question

We installing wazuh using this documentation 

https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/unattended-installation.html

then we got wazuh 4.2.5, elastic/kibana 7.10.2 and opendistro. then we got issues like we discuss above

we'll upgrading elastic to version 7.14 that still support wazuh 4.2.5

we've try on dev environment and think will use it in prod environment

could we use these link to upgrading kibana/elastic?
https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-elastic-stack.html#upgrading-elasticsearch

because we use it on dev environment and we failed to upgrade.

could we upgrade or just do a fresh install instead?

thank you before

Regards

[Facundo Mayon]

Hello Afika. It's a pleasure to have news from you.

Regarding the problem that you have, I can recommend you two alternative ways.

1) As I explained in the previous email we are expecting to go on Wazuh version 4.3 in the next few days, this update will include a new rebranding, bugs fixing, and support for Kibana 7.16.3 and Kibana 7.17.0 with new support documentation also updated.

So if you have the possibility to wait a few more days I recommend you upgrade Kibana and also Wazuh version, there is going to be documentation available to help to perform this process.

2) If you want to keep the 4.2.5 Wazuh version and still use Kibana 7.14, please let me know, so I can research some information to assist you with the upgrading problem.

Expecting you answer soon.

Regards

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/rfB3WtshdTM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6afb2f76-4e54-42f6-b353-296c751aaf7bn%40googlegroups.com.

[Afika Fairuz]

Hello again,
Sorry for continuing this thread, but we got some issue regarding to opensearch

We've upgraded to wazuh 4.3 now, we've also migrating to wazuh indexer and its working fine

We made lot of progress using wazuh and opensearch here, appreciate the maximum effort from wazuh team. Thank you

we can analyzing data using an imported csv from opensearch now

The issue is, we need to add some fields in Discover Options menu in Opensearch
But we couldn't save the search as it's show "Forbidden" error
We log in as admin

We try to find this issue in this mailing list but think there's no issues like this yet

And we try to create a new user to check if that could solve our issues

Could you help us

Thank you
And sorry again for bothering you with a lot of question

[Facundo Mayon]

Hi Afika ! 

Nice to hear from you.

I'm glad that you are happy with the new version.

I have to ask you to open a new thread (send a new email to the google group)  with the new issue since the original problem is fixed so we can track the approach to solved the new one in another thread.

Thank you in advance.

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/87ff707d-3cc0-48d8-b2c7-a69b75b42651n%40googlegroups.com.