Filter the "Security Events" Module based on Agent Groups
1,162 views
Skip to first unread message
Sam Heuchert
Jun 15, 2022, 12:28:50 PM6/15/22
to Wazuh mailing list
Hi!
Is this possible?
Thanks!
Luis Daniel Avendaño Larios
Jun 15, 2022, 1:38:07 PM6/15/22
to Wazuh mailing list
Hello!
Thanks for using wazuh!
At the moment we do not have a direct filter for agent groups. But you can use the field agent.name, agent.id, or agent.ip with the operator is one of and add several values to be able to generate a filter with the identifiers of the agents that you need.
Another workaround is to make use of DSL Queries, for example, we can create a DSL query to obtain the alerts of an entire subnetwork of 254 hosts:
{
"query": {
"regexp": {
"agent.ip": {
"value": "192.168.0.*",
"case_insensitive": true
}
}
}
}
You can find the DSL query option at module>security events>add filter>Edit as Query DSL. Once there you can paste the query shown above, then click on save. Once saved the query should filter by the specified range of IPs.
On Wednesday, June 15, 2022 at 10:28:50 AM UTC-6 sheu...@onsetsolutions.com wrote:
Hi!Is this possible?Thanks!
Sam Heuchert
Jun 20, 2022, 11:28:39 AM6/20/22
to Wazuh mailing list
Hi Luis!
Thanks for the response on this. Great solution, but my use case is slightly different. See, my use case would be a work-from-home group that is not on the same logical subnet.
Is there anything I can put in the shared config file for the group so it allows it to be filtered even with raw elasticsearch data?
Thanks!
moosemaimer
Jun 20, 2022, 11:54:12 AM6/20/22
to Wazuh mailing list
You could try using a label for each group...
<agent_config>
<labels>
<label key="group_name">Work_From_Home</label>
</labels>
</agent_config>Sam Heuchert
Jun 20, 2022, 11:56:55 AM6/20/22
to Wazuh mailing list
Does the label key show up as an elasticsearch field?
moosemaimer
Jun 20, 2022, 1:07:27 PM6/20/22
to Wazuh mailing list
Yes, it does.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages