Velociraptor Logs to SIEM
68 views
Skip to first unread message
Paul Kotila
Nov 14, 2024, 3:55:31 PM11/14/24
to velocirapt...@googlegroups.com
Hi Mike,
I'm tuning velociraptor logs. Graylog is showing the rule description: integrity checksum changed as a top alert. Below is an example should I keep logging or drop them?
File '/opt/velociraptor/clients/C.346a785d4dabdbc0/monitoring/Generic.Client.Stats/2024-11-11.json' modified
Mode: realtime
Changed attributes: size,mtime,md5,sha1,sha256
Mike Cohen
Nov 14, 2024, 6:08:01 PM11/14/24
to Paul Kotila, velociraptor-discuss
I'm not sure why you have integrity checks on data files. These files are always modified as data comes in. Usually file integrity monitoring is done on binaries and static files that are not supposed to change.
Velociraptor is only ever writing inside the data store directory that's configured in the config file. That directory is for storing data so should be excluded from the file integrity monitoring
Thanks
Mike
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/CACP%3D_K5mSwZD3f1Oou4DBLzjoiigX1Ve%2BtiiNrW1N2XbgFm0nA%40mail.gmail.com.
Paul Kotila
Nov 14, 2024, 7:20:28 PM11/14/24
to Mike Cohen, velociraptor-discuss
Thank you for the clarification and knowledge. First time implementing a SIEM. So I've been tuning out the extra noise. This finally moved up in my queue to tackle.
I'll read up on best practices for FIM and make sure we are not monitoring data stores elsewhere.
Again thank you for helping me out with this.
Paul Kotila
Nov 18, 2024, 9:56:33 AM11/18/24
to velociraptor-discuss
Hi Mike,
I'm still working on tuning Wazuh's FIM. So far I've found the following areas that look to be locations where change is expected (my understanding).
<ignore>/opt/velociraptor/clients</ignore>
<ignore>/opt/velociraptor/server_artifacts/Server.Monitor.Health/Prometheus</ignore>
<ignore>/opt/velociraptor/logs</ignore>
<ignore>/opt/velociraptor/client_info/snapshot.json.index</ignore>
<ignore>/opt/velociraptor/client_info/snapshot.json</ignore>
<ignore>/opt/velociraptor/clients</ignore>
<ignore>/opt/velociraptor/server_artifacts/Server.Monitor.Health/Prometheus</ignore>
<ignore>/opt/velociraptor/logs</ignore>
<ignore>/opt/velociraptor/client_info/snapshot.json.index</ignore>
<ignore>/opt/velociraptor/client_info/snapshot.json</ignore>
I couldn't find anything suggesting what files/folders in Velociraptor for excluding within FIM.
Mike Cohen
Nov 18, 2024, 10:06:22 AM11/18/24
to Paul Kotila, velociraptor-discuss
The Velociraptor server only ever writes in its data store which is by default /opt/velociraptor - so anything under there should be excluded.
Of course the server allows for notebooks which allow users to write anywhere they like but that is a different issue and should probably be still monitored.
Thanks
Mike
|
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/1b7667f8-706f-48ba-8945-81d3903dce20n%40googlegroups.com.
Paul Kotila
Nov 18, 2024, 12:46:43 PM11/18/24
to velociraptor-discuss
Thank you, Mike.
Reply all
Reply to author
Forward
0 new messages