Darktrace and Wazuh
1,098 views
Skip to first unread message
yari arcopinto
Jul 14, 2023, 3:56:15 AM7/14/23
to Wazuh mailing list
Hello team,
Thanks in advance
I'm having an issue trying to integrate Darktrace to Wazuh.
Darktrace is installed on his own server, where i can't install the agent.
I have configured DT to send the syslog to Filebeat (ip + port where is is lsiten).
Also i have add to filebeat.yml the code:
filebeat.inputs:
- type: syslog
format: auto
protocol.tcp:
host: "<internal IP>:514"
- type: syslog
format: auto
protocol.tcp:
host: "<internal IP>:514"
Then i tried to sent some "alert test" from DT to Wazuh.
Running a tcpdump i can see:
Msg: Jul 13 14:44:11 darktrace-dt-24698-01 darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"xx:xx:xx:xx:xx:xx","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689259451714,"time":1689259451714,"mitreTechniques":[]}\0x0a
Msg: Jul 13 14:44:11 darktrace-dt-24698-01 darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"xx:xx:xx:xx:xx:xx" ,"vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{[|syslog]
Msg: Jul 13 14:44:11 darktrace-dt-24698-01 darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"xx:xx:xx:xx:xx:xx" ,"vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{[|syslog]
But i'm not able to see it in Wazuh. I have also checked the alerts.log/json and archive.log/json.
How can i solve?
Thanks in advance
Selu López
Jul 14, 2023, 4:43:25 AM7/14/23
to Wazuh mailing list
Hello Yari,
You are sending logs directly to Filebeat, but in order for Wazuh to process them and therefore appear in archives.log/json and alerts.json (if they match any rules), you should send them to Wazuh instead of Filebeat. Filebeat is in charge of reading the alerts already generated by Wazuh and indexing them.
There are at least two alternatives for this, I think these sections of the Wazuh documentation may be useful to you:
- Receiving syslog logs in a custom port - Log data collection
- Storing syslog logs in a plaintext file and monitoring it with Wazuh - Log data collection
Let me know if you have any questions about it.
yari arcopinto
Jul 14, 2023, 6:30:02 AM7/14/23
to Wazuh mailing list
Hello Selu,
Thanks in advance for your support.
So, i have add to the ossec.conf the following code:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>*internal ip*</allowed-ips>
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>*internal ip*</allowed-ips>
</remote>
i have sent some "test alert" from Darktrace, that are successfully sent.
By the way, i don't know in which file the rsyslog is saving the data for check if all is working or not.
Do you have any idea?
Regards.
Selu López
Jul 14, 2023, 7:51:05 AM7/14/23
to Wazuh mailing list
Hello yari,
You can enable (if you haven’t already) the logall option in the global section of your manager’s ossec.conf file:
<global> ... <logall>yes</logall> ... </global>After doing that and restarting the manager to apply the settings, you should be able to see in the following file all the events that Wazuh is receiving, including Darktrace events:
/var/ossec/logs/archives/archives.logRemember to disable logall again after your tests to avoid taking up too much disk space.
Regards.
yari arcopinto
Jul 14, 2023, 8:33:27 AM7/14/23
to Selu López, Wazuh mailing list
Hello Selu,
It is already settled on "yes". But in "archive.log" i don't see any logs related to the "test alert".
Regards,
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/40Q8rqAX2sM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a336afbd-5a65-467a-8a69-a5ab99216f0dn%40googlegroups.com.
yari arcopinto
Jul 14, 2023, 9:28:17 AM7/14/23
to Wazuh mailing list
Hello Selu,
Right now i'm able to see the "test alerts" into "archive.log".
But in this format:
2023 Jul 14 12:17:21 darktrace-dt-24698-01->***.**.**.* Jul 14 10:17:32 darktrace-dt-24698-01 darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689329852598,"time":1689329852598,"mitreTechniques":[]}
2023 Jul 14 12:17:35 darktrace-dt-24698-01->***.**.**.* Jul 14 10:17:47 darktrace-dt-24698-01 darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689329867399,"time":1689329867399,"mitreTechniques":[]}
2023 Jul 14 12:44:22 darktrace-dt-24698-01->***.**.**.* Jul 14 10:44:34 darktrace-dt-24698-01 darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689331474168,"time":1689331474168,"mitreTechniques":[]}
2023 Jul 14 12:17:35 darktrace-dt-24698-01->***.**.**.* Jul 14 10:17:47 darktrace-dt-24698-01 darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689329867399,"time":1689329867399,"mitreTechniques":[]}
2023 Jul 14 12:44:22 darktrace-dt-24698-01->***.**.**.* Jul 14 10:44:34 darktrace-dt-24698-01 darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689331474168,"time":1689331474168,"mitreTechniques":[]}
If i'm right, the fact that i see it in the "archive.log" means that the indexer is still receiving the syslog. Is my assumption correct?
By the way, i'm not able to see them into Wazuh Security Events or in Wazuh Integrity Monitoring... What is the reason?
And if in the archive.log i see them in this format, is because the indexer actually is not able to mapping them? Shall I create a new map?
Regards,
Message has been deleted
Selu López
Jul 17, 2023, 4:22:36 AM7/17/23
to Wazuh mailing list
Hello Yari,
By default Wazuh only indexes alerts, not logs or events. For a log like the ones you’ve seen in the archives.log file to generate an alert, it must be decoded and match a rule. It seems that no decoders/rules match your log, so you will have to create your own.
I think the following blog post on how to create new decoders and rules will be useful to you:
Also, check these documentation pages:
Regards,
yari arcopinto
Jul 18, 2023, 4:32:07 AM7/18/23
to Wazuh mailing list
Hello Selu,
I have configured all, by the way i'm having some issue with the JSON decoder and more specifically with the "prematch" function.
The log is:
2023 Jul 18 10:01:50 CLO-D***->***.**.**.* 1 2023-07-18T08:02:01+00:00 darktrace-dt-24698-01 darktrace - - - {"model":{"name":"Unrestricted Test Model"},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689667321524,"time":1689667321524,"mitreTechniques":[]}
2023 Jul 18 10:01:50 CLO-D***->***.**.**.* 1 2023-07-18T08:02:01+00:00 darktrace-dt-24698-01 darktrace - - - {"model":{"name":"Unrestricted Test Model"},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689667321524,"time":1689667321524,"mitreTechniques":[]}
Then in my local_decoder.xml i have configured it as below:
<decoder name="darktrace_parent">
<program_name>darktrace_alerts</program_name>
</decoder>
<decoder name="Darktrace_child">
<parent>darktrace_parent</parent>
<prematch>model":</prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
<program_name>darktrace_alerts</program_name>
</decoder>
<decoder name="Darktrace_child">
<parent>darktrace_parent</parent>
<prematch>model":</prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
If i run /var/ossec/bin/wazuh-logtest and i test the full log the results is:
**Phase 1: Completed pre-decoding.
full event: '2023 Jul 18 10:01:50 CLO-D***->***.**.**.* 1 2023-07-18T08:02:01+00:00 darktrace-dt-24698-01 darktrace - - - {"model":{"name":"Unrestricted Test Model"},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689667321524,"time":1689667321524,"mitreTechniques":[]}'
timestamp: '2023 Jul 18 10:01:50'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
id: '100010'
level: '0'
description: 'Analisys'
groups: '['darktrace alerts']'
firedtimes: '1'
mail: 'False'
full event: '2023 Jul 18 10:01:50 CLO-D***->***.**.**.* 1 2023-07-18T08:02:01+00:00 darktrace-dt-24698-01 darktrace - - - {"model":{"name":"Unrestricted Test Model"},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1689667321524,"time":1689667321524,"mitreTechniques":[]}'
timestamp: '2023 Jul 18 10:01:50'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
id: '100010'
level: '0'
description: 'Analisys'
groups: '['darktrace alerts']'
firedtimes: '1'
mail: 'False'
I have also tried to set at the laber <prematch>:
- - - -
- darktrace - - -
- darktrace-dt-24698-01 darktrace - - -
If i run /var/ossec/bin/wazuh-logtest and i test only the "json part" of the logs, it will work correctly.
Thanks in advance for your support.
Best regards,
yari arcopinto
Jul 18, 2023, 6:47:26 AM7/18/23
to Wazuh mailing list
Little Edit,
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
I also tried with
<decoder name="Darktrace_child">
<prematch>(\W)(\s)</prematch>
<prematch>(\W)(\s)</prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
So i was able to hit the exact point before the json starts ( - - - ).
But it doesn't work anyway
Regards,
yari arcopinto
Jul 18, 2023, 6:59:48 AM7/18/23
to Wazuh mailing list
Another Edit, for the topic..
This issue has been solved removed the "parent" and "child" class, and just adding "darktrace - - - " to the prematch
yari arcopinto
Jul 18, 2023, 11:19:06 AM7/18/23
to Wazuh mailing list
Hello Selu,
There is any way for trigger the "new rule" configured by me for only one log?
Because i see, setting the local_rules as follow:
<group name="Darktrace">
<rule id="100010" level="10">
<description>Darktrace_Alerts</description>
</rule>
</group>
<rule id="100010" level="10">
<description>Darktrace_Alerts</description>
</rule>
</group>
It will add to every log the Description = Dakrtrace_Alerts and Rule ID = 100010
Thanks!
Selu López
Jul 20, 2023, 7:43:49 AM7/20/23
to Wazuh mailing list
Hello Yari,
Sorry for the delay. I’m glad you could fix the problem with the decoder! Regarding your last question, I’m not sure if I understand what you want to achieve:
- Do you want the alert to be generated only once? ignore parameter inside the rule option could be used for this purpose.
- Do you want the alert to be generated only for a specific log and not all the ones that could come from Darktrace? You could achieve this by putting more filters in the rule, for example with the field option.
- Do you want to remove the description and rule_id fields from the alert? I think this is not possible.
- Do you want to do something other than what I mentioned?
Kind regards!
Message has been deleted
yari arcopinto
Jul 20, 2023, 8:16:00 AM7/20/23
to Wazuh mailing list
Hello Selu,
Thanks for your reply.
I have created an new decoder.xml
<prematch>darktrace </prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
and new rules.xml
<group name="Darktrace">
<rule id="119000" level="10">
<rule id="119000" level="10">
<description>Darktrace_Alerts</description>
</rule>
</group>
When i receive the log like this below:
2023 Jul 20 12:23:16 darktrace-dt-24698-01->172.18.17.8 Jul 20 10:23:28 darktrace-dt-24698-01 darktrace {"model":{"name":"Antigena::Network::External Threat::Antigena Tor Block","pid":74,"phid":3700,"uuid":"******************","logic":{"data":[{"cid":7359,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{"action":"quarantineOutgoing","confirm":false,"duration":3600,"threshold":"1"},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":[],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-01-12 18:31:10","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":false,"description":"A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\\\n\\\nAction: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.","behaviour":"decreasing","defeats":[],"created":{"by":"System"},"edited":{"by":"System"},"version":14,"mitre":{"tactics":["command-and-control"],"techniques":["T1090.003"]},"priority":3,"category":"Informational","compliance":false},"device":{"did":9,"ip":"*********,"ips":[{"ip":"***********","timems":1689847200000,"time":"2023-07-20 10:00:00","sid":2}],"sid":2,"hostname":"*************","firstSeen":1616167091000,"lastSeen":1689848526000,"typename":"server","typelabel":"Server","tags":[{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true},{"tid":64,"expiry":0,"thid":64,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":79,"expiry":0,"thid":79,"name":"High Risk","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":31,"expiry":0,"thid":31,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1689848580000,"cbid":1589,"cid":7359,"chid":11275,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"B"},"operator":"OR","right":{"left":"A","operator":"AND","right":"C"}},"version":"v0.1"},"metric":{"mlid":234,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":86198,"id":"A","filterType":"Message","arguments":{"value":"Tor Usage"},"comparatorType":"contains","trigger":{"value":"Compromise / Possible Tor Usage"}},{"cfid":86200,"id":"C","filterType":"Tagged internal source","arguments":{"value":45},"comparatorType":"has tag","trigger":{"value":"45","tag":{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":86201,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Compromise / Possible Tor Usage"}}]}],"breachUrl":"https://darktrace-dt-24698-01/#modelbreach/1202","pbid":1202,"score":0.728,"commentCount":0,"creationTime":1689848606000,"time":1689848581000,"mitreTechniques":[{"technique":"Multi-hop Proxy","techniqueID":"T1090.003"}]}
I have tested the decoder.xml and the rule.xml with the command /var/ossec/bin/wazuh-logtest and all looks working fine:
**Phase 1: Completed pre-decoding.
full event: '2023 Jul 20 12:23:16 darktrace-dt-24698-01->172.18.17.8 Jul 20 10:23:28 darktrace-dt-24698-01 darktrace {"model":{"name":"Antigena::Network::External Threat::Antigena Tor Block","pid":74,"phid":3700,"uuid":"*********************","logic":{"data":[{"cid":7359,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{"action":"quarantineOutgoing","confirm":false,"duration":3600,"threshold":"1"},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":[],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-01-12 18:31:10","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":false,"description":"A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\\\n\\\nAction: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.","behaviour":"decreasing","defeats":[],"created":{"by":"System"},"edited":{"by":"System"},"version":14,"mitre":{"tactics":["command-and-control"],"techniques":["T1090.003"]},"priority":3,"category":"Informational","compliance":false},"device":{"did":9,"ip":"*********","ips":[{"ip":"**************","timems":1689847200000,"time":"2023-07-20 10:00:00","sid":2}],"sid":2,"hostname":"********************","firstSeen":1616167091000,"lastSeen":1689848526000,"typename":"server","typelabel":"Server","tags":[{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true},{"tid":64,"expiry":0,"thid":64,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":79,"expiry":0,"thid":79,"name":"High Risk","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":31,"expiry":0,"thid":31,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1689848580000,"cbid":1589,"cid":7359,"chid":11275,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"B"},"operator":"OR","right":{"left":"A","operator":"AND","right":"C"}},"version":"v0.1"},"metric":{"mlid":234,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":86198,"id":"A","filterType":"Message","arguments":{"value":"Tor Usage"},"comparatorType":"contains","trigger":{"value":"Compromise / Possible Tor Usage"}},{"cfid":86200,"id":"C","filterType":"Tagged internal source","arguments":{"value":45},"comparatorType":"has tag","trigger":{"value":"45","tag":{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":86201,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Compromise / Possible Tor Usage"}}]}],"breachUrl":"https://darktrace-dt-24698-01/#modelbreach/1202","pbid":1202,"score":0.728,"commentCount":0,"creationTime":1689848606000,"time":1689848581000,"mitreTechniques":[{"technique":"Multi-hop Proxy","techniqueID":"T1090.003"}]}'
timestamp: '2023 Jul 20 12:23:16'
**Phase 2: Completed decoding.
name: 'Darktrace'
breachUrl: 'https://darktrace-dt-24698-01/#modelbreach/1202'
commentCount: '0'
creationTime: '1689848606000.000000'
device.did: '9'
device.firstSeen: '1616167091000.000000'
device.hostname: '****************
device.ip: '************'
device.ips: '[{'ip': '**************', 'timems': 1689847200000, 'time': '2023-07-20 10:00:00', 'sid': 2}]'
device.lastSeen: '1689848526000.000000'
device.sid: '2'
device.tags: '[{'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}, {'tid': 64, 'expiry': 0, 'thid': 64, 'name': 'Domain Authenticated', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 79, 'expiry': 0, 'thid': 79, 'name': 'High Risk', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 31, 'expiry': 0, 'thid': 31, 'name': 'Microsoft Windows', 'restricted': False, 'data': {'auto': False, 'color': 168, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}]'
device.typelabel: 'Server'
device.typename: 'server'
mitreTechniques: '[{'technique': 'Multi-hop Proxy', 'techniqueID': 'T1090.003'}]'
model.actions.alert: 'true'
model.actions.antigena.action: 'quarantineOutgoing'
model.actions.antigena.confirm: 'false'
model.actions.antigena.duration: '3600'
model.actions.antigena.threshold: '1'
model.actions.breach: 'true'
model.actions.model: 'true'
model.actions.setPriority: 'false'
model.actions.setTag: 'false'
model.actions.setType: 'false'
model.active: 'true'
model.activeTimes.type: 'exclusions'
model.activeTimes.version: '2'
model.autoSuppress: 'false'
model.autoUpdatable: 'true'
model.autoUpdate: 'true'
model.behaviour: 'decreasing'
model.category: 'Informational'
model.compliance: 'false'
model.created.by: 'System'
model.defeats: '[]'
model.delay: '0'
model.description: 'A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\
\
Action: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.'
model.edited.by: 'System'
model.interval: '3600'
model.logic.data: '[{'cid': 7359, 'weight': 1}]'
model.logic.targetScore: '1'
model.logic.type: 'weightedComponentList'
model.logic.version: '1'
model.mitre.tactics: '['command-and-control']'
model.mitre.techniques: '['T1090.003']'
model.modified: '2022-01-12 18:31:10'
model.name: 'Antigena::Network::External Threat::Antigena Tor Block'
model.phid: '3700'
model.pid: '74'
model.priority: '3'
model.sequenced: 'false'
model.sharedEndpoints: 'false'
model.tags: '[]'
model.throttle: '3600'
model.uuid: '*****************'
model.version: '14'
pbid: '1202'
score: '0.728000'
time: '1689848581000.000000'
triggeredComponents: '[{'time': 1689848580000, 'cbid': 1589, 'cid': 7359, 'chid': 11275, 'size': 1, 'threshold': 0, 'interval': 3600, 'logic': {'data': {'left': {'left': 'A', 'operator': 'AND', 'right': 'B'}, 'operator': 'OR', 'right': {'left': 'A', 'operator': 'AND', 'right': 'C'}}, 'version': 'v0.1'}, 'metric': {'mlid': 234, 'name': 'dtmodelbreach', 'label': 'Model'}, 'triggeredFilters': [{'cfid': 86198, 'id': 'A', 'filterType': 'Message', 'arguments': {'value': 'Tor Usage'}, 'comparatorType': 'contains', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}, {'cfid': 86200, 'id': 'C', 'filterType': 'Tagged internal source', 'arguments': {'value': 45}, 'comparatorType': 'has tag', 'trigger': {'value': '45', 'tag': {'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}}}, {'cfid': 86201, 'id': 'd1', 'filterType': 'Message', 'arguments': {}, 'comparatorType': 'display', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}]}]'
full event: '2023 Jul 20 12:23:16 darktrace-dt-24698-01->172.18.17.8 Jul 20 10:23:28 darktrace-dt-24698-01 darktrace {"model":{"name":"Antigena::Network::External Threat::Antigena Tor Block","pid":74,"phid":3700,"uuid":"*********************","logic":{"data":[{"cid":7359,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{"action":"quarantineOutgoing","confirm":false,"duration":3600,"threshold":"1"},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":[],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-01-12 18:31:10","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":false,"description":"A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\\\n\\\nAction: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.","behaviour":"decreasing","defeats":[],"created":{"by":"System"},"edited":{"by":"System"},"version":14,"mitre":{"tactics":["command-and-control"],"techniques":["T1090.003"]},"priority":3,"category":"Informational","compliance":false},"device":{"did":9,"ip":"*********","ips":[{"ip":"**************","timems":1689847200000,"time":"2023-07-20 10:00:00","sid":2}],"sid":2,"hostname":"********************","firstSeen":1616167091000,"lastSeen":1689848526000,"typename":"server","typelabel":"Server","tags":[{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true},{"tid":64,"expiry":0,"thid":64,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":79,"expiry":0,"thid":79,"name":"High Risk","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":31,"expiry":0,"thid":31,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1689848580000,"cbid":1589,"cid":7359,"chid":11275,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"B"},"operator":"OR","right":{"left":"A","operator":"AND","right":"C"}},"version":"v0.1"},"metric":{"mlid":234,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":86198,"id":"A","filterType":"Message","arguments":{"value":"Tor Usage"},"comparatorType":"contains","trigger":{"value":"Compromise / Possible Tor Usage"}},{"cfid":86200,"id":"C","filterType":"Tagged internal source","arguments":{"value":45},"comparatorType":"has tag","trigger":{"value":"45","tag":{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":86201,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Compromise / Possible Tor Usage"}}]}],"breachUrl":"https://darktrace-dt-24698-01/#modelbreach/1202","pbid":1202,"score":0.728,"commentCount":0,"creationTime":1689848606000,"time":1689848581000,"mitreTechniques":[{"technique":"Multi-hop Proxy","techniqueID":"T1090.003"}]}'
timestamp: '2023 Jul 20 12:23:16'
**Phase 2: Completed decoding.
name: 'Darktrace'
breachUrl: 'https://darktrace-dt-24698-01/#modelbreach/1202'
commentCount: '0'
creationTime: '1689848606000.000000'
device.did: '9'
device.firstSeen: '1616167091000.000000'
device.hostname: '****************
device.ip: '************'
device.ips: '[{'ip': '**************', 'timems': 1689847200000, 'time': '2023-07-20 10:00:00', 'sid': 2}]'
device.lastSeen: '1689848526000.000000'
device.sid: '2'
device.tags: '[{'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}, {'tid': 64, 'expiry': 0, 'thid': 64, 'name': 'Domain Authenticated', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 79, 'expiry': 0, 'thid': 79, 'name': 'High Risk', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 31, 'expiry': 0, 'thid': 31, 'name': 'Microsoft Windows', 'restricted': False, 'data': {'auto': False, 'color': 168, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}]'
device.typelabel: 'Server'
device.typename: 'server'
mitreTechniques: '[{'technique': 'Multi-hop Proxy', 'techniqueID': 'T1090.003'}]'
model.actions.alert: 'true'
model.actions.antigena.action: 'quarantineOutgoing'
model.actions.antigena.confirm: 'false'
model.actions.antigena.duration: '3600'
model.actions.antigena.threshold: '1'
model.actions.breach: 'true'
model.actions.model: 'true'
model.actions.setPriority: 'false'
model.actions.setTag: 'false'
model.actions.setType: 'false'
model.active: 'true'
model.activeTimes.type: 'exclusions'
model.activeTimes.version: '2'
model.autoSuppress: 'false'
model.autoUpdatable: 'true'
model.autoUpdate: 'true'
model.behaviour: 'decreasing'
model.category: 'Informational'
model.compliance: 'false'
model.created.by: 'System'
model.defeats: '[]'
model.delay: '0'
model.description: 'A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\
\
Action: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.'
model.edited.by: 'System'
model.interval: '3600'
model.logic.data: '[{'cid': 7359, 'weight': 1}]'
model.logic.targetScore: '1'
model.logic.type: 'weightedComponentList'
model.logic.version: '1'
model.mitre.tactics: '['command-and-control']'
model.mitre.techniques: '['T1090.003']'
model.modified: '2022-01-12 18:31:10'
model.name: 'Antigena::Network::External Threat::Antigena Tor Block'
model.phid: '3700'
model.pid: '74'
model.priority: '3'
model.sequenced: 'false'
model.sharedEndpoints: 'false'
model.tags: '[]'
model.throttle: '3600'
model.uuid: '*****************'
model.version: '14'
pbid: '1202'
score: '0.728000'
time: '1689848581000.000000'
triggeredComponents: '[{'time': 1689848580000, 'cbid': 1589, 'cid': 7359, 'chid': 11275, 'size': 1, 'threshold': 0, 'interval': 3600, 'logic': {'data': {'left': {'left': 'A', 'operator': 'AND', 'right': 'B'}, 'operator': 'OR', 'right': {'left': 'A', 'operator': 'AND', 'right': 'C'}}, 'version': 'v0.1'}, 'metric': {'mlid': 234, 'name': 'dtmodelbreach', 'label': 'Model'}, 'triggeredFilters': [{'cfid': 86198, 'id': 'A', 'filterType': 'Message', 'arguments': {'value': 'Tor Usage'}, 'comparatorType': 'contains', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}, {'cfid': 86200, 'id': 'C', 'filterType': 'Tagged internal source', 'arguments': {'value': 45}, 'comparatorType': 'has tag', 'trigger': {'value': '45', 'tag': {'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}}}, {'cfid': 86201, 'id': 'd1', 'filterType': 'Message', 'arguments': {}, 'comparatorType': 'display', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}]}]'
**Phase 3: Completed filtering (rules).
id: '119000'
level: '10'
description: 'Darktrace_Alerts'
groups: '['Darktrace']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
level: '10'
description: 'Darktrace_Alerts'
groups: '['Darktrace']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
But looking in the SIEM i can see that the new decoder has been added to all the logs instead to only darktrace log f.e. to the "full.log":
Where is not present the "prematch word" darktrace ....
I would like the decoder and the rule to work only for logs received from darktrace.
Thanks in advance for your support.
Message has been deleted
Selu López
Jul 21, 2023, 5:07:18 AM7/21/23
to Wazuh mailing list
Hello Yari,
Note that the alert will contain all the fields decoded by the decoder.There were some things wrong in your decoder/rule and in your test log, I will detail them; First of all, the yellow portion of your example log contains additional information appended by Wazuh:
2023 Jul 20 12:23:16 darktrace-dt-24698-01->172.18.17.8 Jul 20 10:23:28 darktrace-dt-24698-01 darktrace {"model":{"name":"Antigena::Network::External Threat::Antigena Tor Block","pid":74,"phid":3700,"uuid":"******************","logic":{"data":[{"cid":7359,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{"action":"quarantineOutgoing","confirm":false,"duration":3600,"threshold":"1"},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":[],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-01-12 18:31:10","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":false,"description":"A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\\\n\\\nAction: Review the other breaches from this device. If the device doesnt need to communicate with Tor for business purposes, remove the device from the network.","behaviour":"decreasing","defeats":[],"created":{"by":"System"},"edited":{"by":"System"},"version":14,"mitre":{"tactics":["command-and-control"],"techniques":["T1090.003"]},"priority":3,"category":"Informational","compliance":false},"device":{"did":9,"ip":"*********","ips":[{"ip":"***********","timems":1689847200000,"time":"2023-07-20 10: 00: 00","sid":2}],"sid":2,"hostname":"*************","firstSeen":1616167091000,"lastSeen":1689848526000,"typename":"server","typelabel":"Server","tags":[{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true},{"tid":64,"expiry":0,"thid":64,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":79,"expiry":0,"thid":79,"name":"High Risk","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":31,"expiry":0,"thid":31,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1689848580000,"cbid":1589,"cid":7359,"chid":11275,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"B"},"operator":"OR","right":{"left":"A","operator":"AND","right":"C"}},"version":"v0.1"},"metric":{"mlid":234,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":86198,"id":"A","filterType":"Message","arguments":{"value":"Tor Usage"},"comparatorType":"contains","trigger":{"value":"Compromise / Possible Tor Usage"}},{"cfid":86200,"id":"C","filterType":"Tagged internal source","arguments":{"value":45},"comparatorType":"has tag","trigger":{"value":"45","tag":{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":86201,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Compromise / Possible Tor Usage"}}]}],"breachUrl":"https: //darktrace-dt-24698-01/#modelbreach/1202","pbid":1202,"score":0.728,"commentCount":0,"creationTime":1689848606000,"time":1689848581000,"mitreTechniques":[{"technique":"Multi-hop Proxy","techniqueID":"T1090.003"}]}
You should use just the gray portion in the wazuh-logtest tool. In addition, there was a missing quote in the log (it seems you deleted it by default while editing "ip":"*******") so the JSON decoder was not unpacking any of it. Lastly, the rule was missing the decoded_as field, thus matching all logs instead of only those decoded by the Darktrace decoder.
Based on this, the following decoder and rule should fit your use case. Feel free to rename any field:
Decoder (place it on /var/ossec/etc/decoders/local_decoder.xml)
<decoder name="Darktrace">
<prematch>darktrace</prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
Rule (place it on /var/ossec/etc/rules/local_rules.xml)
<group name="Darktrace"> <rule id="119000" level="10"> <decoded_as>Darktrace</decoded_as> <description>Darktrace_Alerts</description> </rule> </group>Example alert using the wazuh-logtest tool:
**Phase 1: Completed pre-decoding. full event: 'Jul 20 10:23:28 darktrace-dt-24698-01 darktrace {"model":{"name":"Antigena::Network::External Threat::Antigena Tor Block","pid":74,"phid":3700,"uuid":"******************","logic":{"data":[{"cid":7359,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{"action":"quarantineOutgoing","confirm":false,"duration":3600,"threshold":"1"},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":[],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-01-12 18:31:10","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":false,"description":"A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\\\n\\\nAction: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.","behaviour":"decreasing","defeats":[],"created":{"by":"System"},"edited":{"by":"System"},"version":14,"mitre":{"tactics":["command-and-control"],"techniques":["T1090.003"]},"priority":3,"category":"Informational","compliance":false},"device":{"did":9,"ip":"*********","ips":[{"ip":"***********","timems":1689847200000,"time":"2023-07-20 10: 00: 00","sid":2}],"sid":2,"hostname":"*************","firstSeen":1616167091000,"lastSeen":1689848526000,"typename":"server","typelabel":"Server","tags":[{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true},{"tid":64,"expiry":0,"thid":64,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":79,"expiry":0,"thid":79,"name":"High Risk","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":31,"expiry":0,"thid":31,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1689848580000,"cbid":1589,"cid":7359,"chid":11275,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"B"},"operator":"OR","right":{"left":"A","operator":"AND","right":"C"}},"version":"v0.1"},"metric":{"mlid":234,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":86198,"id":"A","filterType":"Message","arguments":{"value":"Tor Usage"},"comparatorType":"contains","trigger":{"value":"Compromise / Possible Tor Usage"}},{"cfid":86200,"id":"C","filterType":"Tagged internal source","arguments":{"value":45},"comparatorType":"has tag","trigger":{"value":"45","tag":{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":86201,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Compromise / Possible Tor Usage"}}]}],"breachUrl":"https: //darktrace-dt-24698-01/#modelbreach/1202","pbid":1202,"score":0.728,"commentCount":0,"creationTime":1689848606000,"time":1689848581000,"mitreTechniques":[{"technique":"Multi-hop Proxy","techniqueID":"T1090.003"}]}' timestamp: 'Jul 20 10:23:28' hostname: 'darktrace-dt-24698-01' **Phase 2: Completed decoding. name: 'Darktrace' breachUrl: 'https: //darktrace-dt-24698-01/#modelbreach/1202' commentCount: '0' creationTime: '1689848606000.000000' device.did: '9' device.firstSeen: '1616167091000.000000' device.hostname: '*************' device.ip: '*********' device.ips: '[{'ip': '***********', 'timems': 1689847200000, 'time': '2023-07-20 10: 00: 00', 'sid': 2}]' device.lastSeen: '1689848526000.000000' device.sid: '2' device.tags: '[{'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}, {'tid': 64, 'expiry': 0, 'thid': 64, 'name': 'Domain Authenticated', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 79, 'expiry': 0, 'thid': 79, 'name': 'High Risk', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 31, 'expiry': 0, 'thid': 31, 'name': 'Microsoft Windows', 'restricted': False, 'data': {'auto': False, 'color': 168, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}]' device.typelabel: 'Server' device.typename: 'server' mitreTechniques: '[{'technique': 'Multi-hop Proxy', 'techniqueID': 'T1090.003'}]' model.actions.alert: 'true' model.actions.antigena.action: 'quarantineOutgoing' model.actions.antigena.confirm: 'false' model.actions.antigena.duration: '3600' model.actions.antigena.threshold: '1' model.actions.breach: 'true' model.actions.model: 'true' model.actions.setPriority: 'false' model.actions.setTag: 'false' model.actions.setType: 'false' model.active: 'true' model.activeTimes.type: 'exclusions' model.activeTimes.version: '2' model.autoSuppress: 'false' model.autoUpdatable: 'true' model.autoUpdate: 'true' model.behaviour: 'decreasing' model.category: 'Informational' model.compliance: 'false' model.created.by: 'System' model.defeats: '[]' model.delay: '0' model.description: 'A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\ \ Action: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.' model.edited.by: 'System' model.interval: '3600' model.logic.data: '[{'cid': 7359, 'weight': 1}]' model.logic.targetScore: '1' model.logic.type: 'weightedComponentList' model.logic.version: '1' model.mitre.tactics: '['command-and-control']' model.mitre.techniques: '['T1090.003']' model.modified: '2022-01-12 18:31:10' model.name: 'Antigena::Network::External Threat::Antigena Tor Block' model.phid: '3700' model.pid: '74' model.priority: '3' model.sequenced: 'false' model.sharedEndpoints: 'false' model.tags: '[]' model.throttle: '3600' model.uuid: '******************' model.version: '14' pbid: '1202' score: '0.728000' time: '1689848581000.000000' triggeredComponents: '[{'time': 1689848580000, 'cbid': 1589, 'cid': 7359, 'chid': 11275, 'size': 1, 'threshold': 0, 'interval': 3600, 'logic': {'data': {'left': {'left': 'A', 'operator': 'AND', 'right': 'B'}, 'operator': 'OR', 'right': {'left': 'A', 'operator': 'AND', 'right': 'C'}}, 'version': 'v0.1'}, 'metric': {'mlid': 234, 'name': 'dtmodelbreach', 'label': 'Model'}, 'triggeredFilters': [{'cfid': 86198, 'id': 'A', 'filterType': 'Message', 'arguments': {'value': 'Tor Usage'}, 'comparatorType': 'contains', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}, {'cfid': 86200, 'id': 'C', 'filterType': 'Tagged internal source', 'arguments': {'value': 45}, 'comparatorType': 'has tag', 'trigger': {'value': '45', 'tag': {'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}}}, {'cfid': 86201, 'id': 'd1', 'filterType': 'Message', 'arguments': {}, 'comparatorType': 'display', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}]}]' **Phase 3: Completed filtering (rules). id: '119000' level: '10' description: 'Darktrace_Alerts' groups: '['Darktrace']' firedtimes: '1' mail: 'False' **Alert to be generated.Note that the alert will contain all the fields decoded by the decoder. Let me know if this works for you.
Kind regards.
yari arcopinto
Jul 28, 2023, 10:38:50 AM7/28/23
to Wazuh mailing list
Hello Selu,
**Phase 1: Completed pre-decoding. full event: 'Jul 20 10:23:28 darktrace-dt-24698-01 darktrace {"model":{"name":"Antigena::Network::External Threat::Antigena Tor Block","pid":74,"phid":3700,"uuid":"******************","logic":{"data":[{"cid":7359,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{"action":"quarantineOutgoing","confirm":false,"duration":3600,"threshold":"1"},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":[],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-01-12 18:31:10","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":false,"description":"A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\\\n\\\nAction: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.","behaviour":"decreasing","defeats":[],"created":{"by":"System"},"edited":{"by":"System"},"version":14,"mitre":{"tactics":["command-and-control"],"techniques":["T1090.003"]},"priority":3,"category":"Informational","compliance":false},"device":{"did":9,"ip":"*********","ips":[{"ip":"***********","timems":1689847200000,"time":"2023-07-20 10: 00: 00","sid":2}],"sid":2,"hostname":"*************","firstSeen":1616167091000,"lastSeen":1689848526000,"typename":"server","typelabel":"Server","tags":[{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true},{"tid":64,"expiry":0,"thid":64,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":79,"expiry":0,"thid":79,"name":"High Risk","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":31,"expiry":0,"thid":31,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1689848580000,"cbid":1589,"cid":7359,"chid":11275,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"B"},"operator":"OR","right":{"left":"A","operator":"AND","right":"C"}},"version":"v0.1"},"metric":{"mlid":234,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":86198,"id":"A","filterType":"Message","arguments":{"value":"Tor Usage"},"comparatorType":"contains","trigger":{"value":"Compromise / Possible Tor Usage"}},{"cfid":86200,"id":"C","filterType":"Tagged internal source","arguments":{"value":45},"comparatorType":"has tag","trigger":{"value":"45","tag":{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":86201,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Compromise / Possible Tor Usage"}}]}],"breachUrl":"https: //darktrace-dt-24698-01/#modelbreach/1202","pbid":1202,"score":0.728,"commentCount":0,"creationTime":1689848606000,"time":1689848581000,"mitreTechniques":[{"technique":"Multi-hop Proxy","techniqueID":"T1090.003"}]}' timestamp: 'Jul 20 10:23:28' hostname: 'darktrace-dt-24698-01' **Phase 2: Completed decoding. name: 'Darktrace' breachUrl: 'https: //darktrace-dt-24698-01/#modelbreach/1202' commentCount: '0' creationTime: '1689848606000.000000' device.did: '9' device.firstSeen: '1616167091000.000000' device.hostname: '*************' device.ip: '*********' device.ips: '[{'ip': '***********', 'timems': 1689847200000, 'time': '2023-07-20 10: 00: 00', 'sid': 2}]' device.lastSeen: '1689848526000.000000' device.sid: '2' device.tags: '[{'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}, {'tid': 64, 'expiry': 0, 'thid': 64, 'name': 'Domain Authenticated', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 79, 'expiry': 0, 'thid': 79, 'name': 'High Risk', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 31, 'expiry': 0, 'thid': 31, 'name': 'Microsoft Windows', 'restricted': False, 'data': {'auto': False, 'color': 168, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}]' device.typelabel: 'Server' device.typename: 'server' mitreTechniques: '[{'technique': 'Multi-hop Proxy', 'techniqueID': 'T1090.003'}]' model.actions.alert: 'true' model.actions.antigena.action: 'quarantineOutgoing' model.actions.antigena.confirm: 'false' model.actions.antigena.duration: '3600' model.actions.antigena.threshold: '1' model.actions.breach: 'true' model.actions.model: 'true' model.actions.setPriority: 'false' model.actions.setTag: 'false' model.actions.setType: 'false' model.active: 'true' model.activeTimes.type: 'exclusions' model.activeTimes.version: '2' model.autoSuppress: 'false' model.autoUpdatable: 'true' model.autoUpdate: 'true' model.behaviour: 'decreasing' model.category: 'Informational' model.compliance: 'false' model.created.by: 'System' model.defeats: '[]' model.delay: '0' model.description: 'A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\ \ Action: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.' model.edited.by: 'System' model.interval: '3600' model.logic.data: '[{'cid': 7359, 'weight': 1}]' model.logic.targetScore: '1' model.logic.type: 'weightedComponentList' model.logic.version: '1' model.mitre.tactics: '['command-and-control']' model.mitre.techniques: '['T1090.003']' model.modified: '2022-01-12 18:31:10' model.name: 'Antigena::Network::External Threat::Antigena Tor Block' model.phid: '3700' model.pid: '74' model.priority: '3' model.sequenced: 'false' model.sharedEndpoints: 'false' model.tags: '[]' model.throttle: '3600' model.uuid: '******************' model.version: '14' pbid: '1202' score: '0.728000' time: '1689848581000.000000' triggeredComponents: '[{'time': 1689848580000, 'cbid': 1589, 'cid': 7359, 'chid': 11275, 'size': 1, 'threshold': 0, 'interval': 3600, 'logic': {'data': {'left': {'left': 'A', 'operator': 'AND', 'right': 'B'}, 'operator': 'OR', 'right': {'left': 'A', 'operator': 'AND', 'right': 'C'}}, 'version': 'v0.1'}, 'metric': {'mlid': 234, 'name': 'dtmodelbreach', 'label': 'Model'}, 'triggeredFilters': [{'cfid': 86198, 'id': 'A', 'filterType': 'Message', 'arguments': {'value': 'Tor Usage'}, 'comparatorType': 'contains', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}, {'cfid': 86200, 'id': 'C', 'filterType': 'Tagged internal source', 'arguments': {'value': 45}, 'comparatorType': 'has tag', 'trigger': {'value': '45', 'tag': {'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}}}, {'cfid': 86201, 'id': 'd1', 'filterType': 'Message', 'arguments': {}, 'comparatorType': 'display', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}]}]' **Phase 3: Completed filtering (rules). id: '119000' level: '10' description: 'Darktrace_Alerts' groups: '['Darktrace']' firedtimes: '1' mail: 'False' **Alert to be generated.
Sorry for my late reply. Yes it looks working good, i will let it run for some days checking it in elastic.
Just the last thing, as you can see the yellow parts (below the log decoded) are composed by another json.
**Phase 1: Completed pre-decoding. full event: 'Jul 20 10:23:28 darktrace-dt-24698-01 darktrace {"model":{"name":"Antigena::Network::External Threat::Antigena Tor Block","pid":74,"phid":3700,"uuid":"******************","logic":{"data":[{"cid":7359,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{"action":"quarantineOutgoing","confirm":false,"duration":3600,"threshold":"1"},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":[],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-01-12 18:31:10","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":false,"description":"A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\\\n\\\nAction: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.","behaviour":"decreasing","defeats":[],"created":{"by":"System"},"edited":{"by":"System"},"version":14,"mitre":{"tactics":["command-and-control"],"techniques":["T1090.003"]},"priority":3,"category":"Informational","compliance":false},"device":{"did":9,"ip":"*********","ips":[{"ip":"***********","timems":1689847200000,"time":"2023-07-20 10: 00: 00","sid":2}],"sid":2,"hostname":"*************","firstSeen":1616167091000,"lastSeen":1689848526000,"typename":"server","typelabel":"Server","tags":[{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true},{"tid":64,"expiry":0,"thid":64,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":79,"expiry":0,"thid":79,"name":"High Risk","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true},{"tid":31,"expiry":0,"thid":31,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1689848580000,"cbid":1589,"cid":7359,"chid":11275,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"B"},"operator":"OR","right":{"left":"A","operator":"AND","right":"C"}},"version":"v0.1"},"metric":{"mlid":234,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":86198,"id":"A","filterType":"Message","arguments":{"value":"Tor Usage"},"comparatorType":"contains","trigger":{"value":"Compromise / Possible Tor Usage"}},{"cfid":86200,"id":"C","filterType":"Tagged internal source","arguments":{"value":45},"comparatorType":"has tag","trigger":{"value":"45","tag":{"tid":45,"expiry":0,"thid":45,"name":"Antigena External Threat","restricted":false,"data":{"auto":false,"color":110,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":86201,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Compromise / Possible Tor Usage"}}]}],"breachUrl":"https: //darktrace-dt-24698-01/#modelbreach/1202","pbid":1202,"score":0.728,"commentCount":0,"creationTime":1689848606000,"time":1689848581000,"mitreTechniques":[{"technique":"Multi-hop Proxy","techniqueID":"T1090.003"}]}' timestamp: 'Jul 20 10:23:28' hostname: 'darktrace-dt-24698-01' **Phase 2: Completed decoding. name: 'Darktrace' breachUrl: 'https: //darktrace-dt-24698-01/#modelbreach/1202' commentCount: '0' creationTime: '1689848606000.000000' device.did: '9' device.firstSeen: '1616167091000.000000' device.hostname: '*************' device.ip: '*********' device.ips: '[{'ip': '***********', 'timems': 1689847200000, 'time': '2023-07-20 10: 00: 00', 'sid': 2}]' device.lastSeen: '1689848526000.000000' device.sid: '2' device.tags: '[{'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}, {'tid': 64, 'expiry': 0, 'thid': 64, 'name': 'Domain Authenticated', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 79, 'expiry': 0, 'thid': 79, 'name': 'High Risk', 'restricted': False, 'data': {'auto': False, 'color': 200, 'description': ''}, 'isReferenced': True}, {'tid': 31, 'expiry': 0, 'thid': 31, 'name': 'Microsoft Windows', 'restricted': False, 'data': {'auto': False, 'color': 168, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}]' device.typelabel: 'Server' device.typename: 'server' mitreTechniques: '[{'technique': 'Multi-hop Proxy', 'techniqueID': 'T1090.003'}]' model.actions.alert: 'true' model.actions.antigena.action: 'quarantineOutgoing' model.actions.antigena.confirm: 'false' model.actions.antigena.duration: '3600' model.actions.antigena.threshold: '1' model.actions.breach: 'true' model.actions.model: 'true' model.actions.setPriority: 'false' model.actions.setTag: 'false' model.actions.setType: 'false' model.active: 'true' model.activeTimes.type: 'exclusions' model.activeTimes.version: '2' model.autoSuppress: 'false' model.autoUpdatable: 'true' model.autoUpdate: 'true' model.behaviour: 'decreasing' model.category: 'Informational' model.compliance: 'false' model.created.by: 'System' model.defeats: '[]' model.delay: '0' model.description: 'A device is communicating with the Tor network privacy service. Use of The Onion Router (Tor) can indicate a larger threat as this is not commonly used for legitimate business activities, but is commonly used for malicious purposes.\ \ Action: Review the other breaches from this device. If the device doesn't need to communicate with Tor for business purposes, remove the device from the network.' model.edited.by: 'System' model.interval: '3600' model.logic.data: '[{'cid': 7359, 'weight': 1}]' model.logic.targetScore: '1' model.logic.type: 'weightedComponentList' model.logic.version: '1' model.mitre.tactics: '['command-and-control']' model.mitre.techniques: '['T1090.003']' model.modified: '2022-01-12 18:31:10' model.name: 'Antigena::Network::External Threat::Antigena Tor Block' model.phid: '3700' model.pid: '74' model.priority: '3' model.sequenced: 'false' model.sharedEndpoints: 'false' model.tags: '[]' model.throttle: '3600' model.uuid: '******************' model.version: '14' pbid: '1202' score: '0.728000' time: '1689848581000.000000' triggeredComponents: '[{'time': 1689848580000, 'cbid': 1589, 'cid': 7359, 'chid': 11275, 'size': 1, 'threshold': 0, 'interval': 3600, 'logic': {'data': {'left': {'left': 'A', 'operator': 'AND', 'right': 'B'}, 'operator': 'OR', 'right': {'left': 'A', 'operator': 'AND', 'right': 'C'}}, 'version': 'v0.1'}, 'metric': {'mlid': 234, 'name': 'dtmodelbreach', 'label': 'Model'}, 'triggeredFilters': [{'cfid': 86198, 'id': 'A', 'filterType': 'Message', 'arguments': {'value': 'Tor Usage'}, 'comparatorType': 'contains', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}, {'cfid': 86200, 'id': 'C', 'filterType': 'Tagged internal source', 'arguments': {'value': 45}, 'comparatorType': 'has tag', 'trigger': {'value': '45', 'tag': {'tid': 45, 'expiry': 0, 'thid': 45, 'name': 'Antigena External Threat', 'restricted': False, 'data': {'auto': False, 'color': 110, 'description': '', 'visibility': 'Public'}, 'isReferenced': True}}}, {'cfid': 86201, 'id': 'd1', 'filterType': 'Message', 'arguments': {}, 'comparatorType': 'display', 'trigger': {'value': 'Compromise / Possible Tor Usage'}}]}]' **Phase 3: Completed filtering (rules). id: '119000' level: '10' description: 'Darktrace_Alerts' groups: '['Darktrace']' firedtimes: '1' mail: 'False' **Alert to be generated.
How i can decoded this parts too?
Best regards,
Reply all
Reply to author
Forward
0 new messages