Anomaly Detection
348 views
Skip to first unread message
timothy
Jul 30, 2023, 2:46:50 PM7/30/23
to Wazuh mailing list
Hi everyone, just looking for some help on the Anomaly Detection Plugin.
What can i configure that would help in UEBA, because right now I'm
stumped.
There is a lack of docs on it in regards to Wazuh and currently I only have a sudoDetect which was taken from https://groups.google.com/g/wazuh/c/qO3NDnL0Zbo and my own one detector for deleted and downloaded files. However, they are not really hitting anything
Could I get some suggestions or examples? Please and thank you
There is a lack of docs on it in regards to Wazuh and currently I only have a sudoDetect which was taken from https://groups.google.com/g/wazuh/c/qO3NDnL0Zbo and my own one detector for deleted and downloaded files. However, they are not really hitting anything
Could I get some suggestions or examples? Please and thank you
Aditya Sharma
Jul 30, 2023, 11:50:51 PM7/30/23
to Wazuh mailing list
Hi team, Thanks for using Wazuh!
To enhance the Anomaly Detection Plugin for UEBA, you can configure additional rules and decoders specific to your use case. These rules and decoders should be designed to detect anomalous behavior related to user activity, such as abnormal file access patterns or unusual network traffic. You can also consider integrating external threat intelligence feeds to enrich detection capabilities.
As you know, the Wazuh indexer and dashboard are based on OpenSearch and OpenSearch Dashboards. Since we didn't implement a full integration with the Anomaly detection plugin, we disabled it by default. If you want to enable it, you need to re-install it again in the Wazuh dashboard.
To enhance the Anomaly Detection Plugin for UEBA, you can configure additional rules and decoders specific to your use case. These rules and decoders should be designed to detect anomalous behavior related to user activity, such as abnormal file access patterns or unusual network traffic. You can also consider integrating external threat intelligence feeds to enrich detection capabilities.
As you know, the Wazuh indexer and dashboard are based on OpenSearch and OpenSearch Dashboards. Since we didn't implement a full integration with the Anomaly detection plugin, we disabled it by default. If you want to enable it, you need to re-install it again in the Wazuh dashboard.
Please, try the following commands:
- /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin install https://ci.opensearch.org/ci/dbc/bundle-build-dashboards/1.2.0/512/linux/x64/builds/plugins/anomalyDetectionDashboards-1.2.0.zip
- systemctl restart wazuh-dashboard
I hope it helps.
timothy
Jul 31, 2023, 7:29:17 AM7/31/23
to Wazuh mailing list
Hi!, Thanks for the reply but I have already downloaded the plugin. My question was more towards the creation of Detectors et cetera. Some examples for detectors would be nice!
Reply all
Reply to author
Forward
0 new messages