Ransomware Monitoring using Wazuh: how to know reveal the agent that is attacked?

[mauro....@cmcc.it]

Hi all,

I just implemented the ransomware monitoring mentioned in this blog:

https://wazuh.com/blog/preventing-and-detecting-ransomware-with-wazuh/

For educational purrposes, I set a low threshold value and I received the alert message as expected.

But I have a questions. Now I know when a ransomware attack is running and whne the alert threshold is reached, but I don't know where the attack is running.

Is there  a way to add, in the alert mail message, the name of the agent that is attacked?

Thank you,

Mauro

[Julio José Reyes Hurtado]

Hi Mauro,

to check the agent.id that is sending the alert you can go to your Kibana > Go to discover (where you can see all the alerts) > Click in the alert of the ransomware. This will unfold all the fields inside the alert, two of them is agent.id and agent.name.

Check the image extracted from my deployment.

Hope it helps, tell me otherwise.

Regards, Julio Reyes

[Mauro Tridici]

Hello Julio,

thank you verry much for your answer.

In my case, I used “Alerting” feature, provided by Open Distro, section to enable ransomware alerts (see the image below)

In particular, following the instructions of wazuh blog, I created a trigger that is working as expected, but I would like to add some info about the agent (or the list of agents) that triggered the alert.

In other words, I would like to change the format of the alert mail message adding something like that "Agent List: {{???????????}}", but I don’t know how to do it using “Mustache”.

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.

- Trigger: {{ctx.trigger.name}}

- Severity: {{ctx.trigger.severity}}

- Period start: {{ctx.periodStart}}

- Period end: {{ctx.periodEnd}}

- Agent List: {{???????????}}

Do you know Mustache syntax that I need to reach the target?

Thank you,

Mauro

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/FQdaM7z6rlo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/50433c31-1b52-427f-a49b-40959770c5d3n%40googlegroups.com.
<Agent_id.png>

[Julio José Reyes Hurtado]

Hi Mauro, I've been searching about Mustache in opendistro and I've found that you can use ctx.results.0 to retrieve all the info got by the query, so if you perform that retrieves info about the agent you would be able to see it.

Another way to check is using ctx.alerts.id to get the alert ID that triggered the monitor and search for it in kibana.

You can take a look into opendistro monitor doc for more information about Mustache and monitors.

Hope it helps, tell me otherwise.

Regards Julio Reyes

[Mauro Tridici]

Hello Julio,

thank you for your help.

I just tried to use ctx.alert.it, ctx.alerts.id and ctx.results.0, but no alert id has been mentioned in my alert mail and provided details are not useful.

Source code:

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.

- Trigger: {{ctx.trigger.name}}

- Severity: {{ctx.trigger.severity}}

- Period start: {{ctx.periodStart}}

- Period end: {{ctx.periodEnd}}

- Alert ID:  {{ctx.alert.id}}

- Details: {{ctx.results.0}}

Received mail:

Monitor Ransomware Attack (Add) just entered alert status. Please investigate the issue.
- Trigger: RansomwareAdd
- Severity: 3
- Period start: 2021-05-31T05:04:29.372Z
- Period end: 2021-05-31T05:09:29.372Z

- Alert ID:  

- Details: {_shards={total=78, failed=0, successful=78, skipped=0}, hits={hits=[], total={value=62, relation=eq}, max_score=null}, took=11, timed_out=false}

Do you have some other idea?

Thank you,

Mauro

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f091d01e-c0ca-407a-9409-f2903724528fn%40googlegroups.com.

[Julio José Reyes Hurtado]

Hi Mauro, checking the alerting module when you choose the method of definition instead of picking Visual Graph to choose Define using extraction query and you will able to define the parameters that you want/need to be fetched. You can build your own query and it will be shown in {{ctx.results.0}}. You can try a query to get the alerts and you will able to locate the alert easily.

Hope it helps, tell me otherwise

Julio Reyes

[Miguel Rodriguez]

has someone solved the problem? I have the same :( 

[Miguel Rodriguez]

Please I need help

[mauro....@cmcc.it]

Hi Julio,

I'm sorry to bother you again, but I'm still not able to complete this task obtaining the agent ID or name when ransomware attack is detected.

I tried to change "visual graph" to "extraction query" and II noticed that the text box contains some basic code (please take a look at the attched file).

If I run this code, I obtain almost the same output values mentioned in the notification mail that I posted above.

It's not clear to me what I should write in the text box. I'm searching for an example to get agent id or name, but I'm not lucky .

Could you please help me to add the agent info in the notification mail message?

Thank you in advance,

Mauro