MITRE ID in JSON Rules - How can i show them on Wazuh Portal?
51 views
Skip to first unread message
Constantinos Evangelou
unread,
Jun 22, 2023, 3:53:13 PM6/22/23
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Wazuh mailing list
Hi, I am parsing JSON logs using Wazuh and the specific logs include MITRE ATT&CK Techniques (eg. T1047) which I want to use on Wazuh Web Console. I understand that my custom rules need to have <mitre></mitre> with defined IDs that i specify. However here the IDs are provided in the JSON log but i am not sure if and how i can use them. I've tried the mitre.id field inside the imported JSON however as soon as i do this the logs stop showing inside Wazuh. If i change the filed to eg. mitre.id.test i can see the logs just fine but without MITRE mappings and the mapping that is imported from my JSON is shown as data.mitre.id.test. Any ideas here cause i am really lost???