SCA report

912 views
Skip to first unread message

Ricky Chung

unread,
Jan 28, 2021, 6:07:13 AM1/28/21
to Wazuh mailing list
Hi

I would like to generate reports of the SCA results, anyone know how to do it?

Report the SCA scores of all agents in one page.
Report all SCA failed items of each agent.

It is possible to do this?

Thanks!

Mariano Koremblum

unread,
Feb 1, 2021, 3:12:16 PM2/1/21
to Wazuh mailing list

Hi rchung!

You can achieve this through the web by following next steps:

  • 1st: Go to Wazuh Manager’s Website

  • 2nd: Go to Wazuh -> Modules -> Security Events

  • 3rd: In the “Search” Bar, on the Security Events’ Dashboard, copy & paste the following line:

rule.groups:sca AND data.sca.score:* AND agent.name:*

This will filter the whole list of events to those, of any agent, that are of the type “SCA” and contains a valid score field.

  • 4th: Generate the report by clicking on the “Generate report” button on the upper right corner of the Security Events’ Dashboard.

  • 5th: Go to Wazuh -> Management -> Status and reports -> Reporting

  • 6th: You will see the list of generated reports, download the one you need.

  • 7th: In order to get all the SCA failed items of a specific agent, just go through 1 to 6 again, but, in the step 3 use the following search rule:

rule.groups:sca AND agent.name:My-Custom-Agent-Name AND data.sca.check.result:failed

Where “My-Custom-Agent-Name” should be replaced by a valid agent name.

I hope our answer helped you! Please let us know if you need further help. I encourage you to open a new thread/conversation in the Google group if you have questions unrelated to this specific question.

Regards :)

Koremblum Nicolás Mariano

scott gibbons

unread,
Aug 17, 2021, 11:24:27 AM8/17/21
to Wazuh mailing list
Do you know how to do this where you only see the score for each agent by itself? I see the score for each agent but multiple times.

Juan Carlos Tello

unread,
Sep 20, 2021, 7:55:01 AM9/20/21
to scott gibbons, Wazuh mailing list
Hello Scott,

This can be achieved by doing an aggregation filter. The easiest way to do this is by creating a custom visualization (which you can add to a custom dashboard if you wish). First, select Visualize from the Kibana subsection of the main Kibana menu:
image.png
Then select Create visualization and select Data Table as the type of visualization:

image.png

Once there, modify the Metric from Sum to Top Hit and select the data.sca.score Field sorted by timestamp. Then add a bucket to split the rows by Terms based on the agent.name field, increase the size of the bucket to the amount of agents you wish to see and click on Update. Finally add a filter that requires that data.sca.score exists before saving your visualization:
image.png

This will summarize the latest seen score for each agent for the selected time range.

Let us know if you have any other questions,
Best Regards,
Juan Carlos Tello


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bd2acc12-2b0a-4f07-8876-e039a146061fn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages