Parsing AWS events
214 views
Skip to first unread message
Slava G
Mar 30, 2021, 2:55:55 PM3/30/21
to Wazuh mailing list
Hi,
I have a cloudtrail log analyzed by Wazuh and I can see events from AWS cloudtrail in the Wazuh.
But, If I'm trying to find something from the event data like field privateIpAddress:"10.0.0.1" I'm gettin nuttin or just "10.0.0.1" same empty result.
but I see that in the event when I find it manually, just browsing one by one.
So, my question is are not all fields from the AWS cloudtrail events are parsed and indexed ?
Thanks
Cesar Moreno
Mar 30, 2021, 8:42:37 PM3/30/21
to Wazuh mailing list
Hello there,
Thank you for asking Wazuh. I hope you are very well.
If you are trying to use the Search input in the Security events, you can use for example "data.privateIpAddress:10.0.0.1" to reach the json formatted data. You should be able to create any filter for those Fields to include or exclude them from the list.
Could you please confirm you are getting the logs in Kibana in the Security events? If you are unable to filter or search for them, please let me know and I'm glad to help you with this issue if you share with me some more information about the Elasticsearch indexes.
As you can see in the following example, the logs can be reached depending on the json level you are getting the field:
In this case, you should search for data.aws.sourceIPAddress:10.0.0.1 or you can create a Filter for the Field data.aws.sourceIPAddress - Operator: is - Value: 10.0.0.1 (In the Filter you'll get a list of the allowed fields for all the listed events).
Hope this helps! Anything you need, please let me know.
Kind regards,
Cesar Moreno.
Slava G
Mar 31, 2021, 2:32:06 AM3/31/21
to Cesar Moreno, Wazuh mailing list
Hi Cesar,
Thanks for your reply.
I do see those events in Kibana, when I browsed them manually filtered for example by AWS Region.
But internal data looks more complex here you can see attached event from Kibana (JSON).
I can't filter by data.aws.responseElements.instancesSet.items.networkInterfaceSet.items[].privateIpAddress
And just looking for "10.0.0.1" return nothing.
Thanks
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b0d3cbcf-6346-40bd-80fe-e79ef1c1880en%40googlegroups.com.
Cesar Moreno
Mar 31, 2021, 9:10:10 PM3/31/21
to Wazuh mailing list
Hello,
No worries, I'm glad to help you.
The JSON arrays are decoded as a unique field by the Wazuh manager (An array of objects is not supported in the JSON decoder.) with the json values inside this field. Only the key:values can be reached, please find the following Azure cloud example:
In this example, I'm able to find the events containing this value by searching as follows: "data.AuthenticationDetails.authenticationMethod:Previously satisfied"
For more information about the Wazuh json decoder, please visit the following guide:
https://documentation.wazuh.com/current/user-manual/ruleset/json-decoder.html
In your case you shared with me, you can reach the other privateIPAdress field as data.aws.responseElements.instancesSet.items.privateIpAddress:10.0.0.1 instead of the one inside the array data.aws.responseElements.instancesSet.items.networkInterfaceSet.[]items.{}0.privateIpAddress:10.0.0.1 since the networkInterfaceSet will contain all the items in it as a value (as shown in my example screenshot).
https://documentation.wazuh.com/current/user-manual/ruleset/json-decoder.html
In your case you shared with me, you can reach the other privateIPAdress field as data.aws.responseElements.instancesSet.items.privateIpAddress:10.0.0.1 instead of the one inside the array data.aws.responseElements.instancesSet.items.networkInterfaceSet.[]items.{}0.privateIpAddress:10.0.0.1 since the networkInterfaceSet will contain all the items in it as a value (as shown in my example screenshot).
Hope this helps you. In case you need to access these values inside the arrays since you are unable to reach them as in my above example, please let me know and I can find out an alternative for you.
I look forward to your reply.
Kind regards,
Cesar Moreno.
Slava G
Apr 1, 2021, 6:29:42 AM4/1/21
to Cesar Moreno, Wazuh mailing list
Thanks,
Indeed data.aws.responseElements.instancesSet.items.privateIpAddress:10.0.0.1 does the work.
Now the question, in Elasticsearch there's an option to search across all fields, so is there any option just to search "10.0.0.1" without specifying what field ? As I do not always know the field name.
Thanks
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b7c278b7-5bdd-46ab-a4e5-558793cb4b7fn%40googlegroups.com.
Cesar Moreno
Apr 8, 2021, 8:54:24 PM4/8/21
to Wazuh mailing list
Hello,
Sorry for the delayed response.
When you are using the Wazuh app, you should be able to use the same as the KQL query in the search bar in Kibana.
In this case, you can search for IPs by using for example *IP*:10.0.0.1 and will get all the results for that IP when the field contains IP in its name. Please be careful of querying only the last 24 hours set up by default.
For more information about Searching for alerts using the Wazuh app for Kibana, please visit this blog.
Hope this helps you. Anything you need, please let me know, I'm happy to help.
Kind regards,
Cesar Moreno.
Sorry for the delayed response.
When you are using the Wazuh app, you should be able to use the same as the KQL query in the search bar in Kibana.
In this case, you can search for IPs by using for example *IP*:10.0.0.1 and will get all the results for that IP when the field contains IP in its name. Please be careful of querying only the last 24 hours set up by default.
For more information about Searching for alerts using the Wazuh app for Kibana, please visit this blog.
Hope this helps you. Anything you need, please let me know, I'm happy to help.
Kind regards,
Cesar Moreno.
Slava G
Apr 15, 2021, 4:34:36 PM4/15/21
to Cesar Moreno, Wazuh mailing list
Thanks.
Sorry for my late response 😀
Do I have to specify filed name even with wildcard? Is there any option for free text search, that searches across all fields?
Thanks
Slava
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c37328e8-97e0-4d0b-952f-ce48407bef4fn%40googlegroups.com.
Cesar Moreno
Apr 19, 2021, 6:16:30 PM4/19/21
to Wazuh mailing list
Hello Slava,
Unfortunately, it's not possible to search for the text without specifying the fields. If you want to use the search bar, you'll have to specify at least a substring for the field with wildcards.
Alternatively, you can use the Elastic dev tools if you don't want to specify the fields, but anyway you have to specify a "*" since it's a mandatory field, please find in the following example:
GET /_search
{
"query": {
"multi_match" : {
"query": "10.0.0.1",
"type": "cross_fields",
"fields": [ "*"]
}
}
}
Hope this helps. Any questions, please let me know.
Kind regards,
Cesar Moreno.
Slava G
Apr 20, 2021, 12:50:15 AM4/20/21
to Cesar Moreno, Wazuh mailing list
Thanks,
Just was hoping that it's possible in wazuh.
In parallel I'm using logz.io which is almost same stack so search across fields is possible there, without specifying fields name.
And we do samw also in our appreciation, same approach.
Thanks.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7cef77b2-e4f0-434b-9000-382603f5f6e6n%40googlegroups.com.
Cesar Moreno
Apr 20, 2021, 12:58:07 PM4/20/21
to Wazuh mailing list
Hello
Slava,
I appreciate your suggestion, I'll research it and raise an issue if needed for this product improvement.
Thank you very much. Any questions, please let me know.
Kind regards,
Cesar Moreno.
Reply all
Reply to author
Forward
0 new messages