Wazuh geo map??
2,786 views
Skip to first unread message
Juan Pablo Saez
Jul 22, 2019, 10:00:54 AM7/22/19
to Wazuh mailing list
Hi Alvaro,
Yes, you can follow our Enrich events with IP Geolacation document to set the correct Elasticsearch configuration for GeoMap. In Wazuh v3.9.4 (released today) this configuration is included by default.
Please, note that not all alerts can be included on the Geomap. Alerts to be included on the Geomap must contain one of these 3 fields:
- "data.win.eventdata.ipAddress"
- "data.srcip"
- "data.aws.sourceIPAddress
It is also mandatory that these are public IP's and not DNS.
To visualize the Geomap and after following the steps of the Enrich events with IP Geolacation document, let's create a map view and place it on a custom dashboard:
First of all, you have to go to the Visualize tab of Kibana, and click on "Create a visualization":
You have to choose a Coordinate Map Visualization
The source for our Geomap is wazuh-alerts-3.x-*
Please set aggregation and field values as follows and remember to save. The Geomap is created.
Now you have to go to the Dashboard tab of Kibana, and click on "Create new dashboard":
Please click on "Add" to add your Geomap visualization
Choose your Geomap visualization (mine is called New Visualization)
Time to save the dashboard.
Following these instructions you must now visualize certain alerts in the Geomap.
Please, let me know if it helps. Regards,
Juan Pablo Sáez
Juan Pablo Saez
Jul 23, 2019, 9:58:53 AM7/23/19
to Wazuh mailing list
Hi Alvaro,
I'm so glad you were able to set up the map correctly!
If
the agents are connected to the same Wazuh manager and ELK stack with
the configuration you have made is enough for these alerts to appear
with GeoIP information. If I'm not solving your problem, please give me
more information so I can understand.
Please let me know if it helps.
Kind Regards, Juan Pablo Sáez
On Mon, Jul 22, 2019 at 5:57 PM Alvaro Victoriano <alvar...@gmail.com> wrote:Its working, Thank you so much Juancould i make this for the agents who are connected in another countries?
Alvaro Victoriano
Jul 23, 2019, 11:18:45 AM7/23/19
to Wazuh mailing list
ok iam gonna explain, the map above its showing the IPS where i received attacks on my server (that server is without agents till now)
so i have only source ip in this case, what about if there is agents are connected with the manager and they receive attacks for example, in this case i would have source ips which are the attackers and destination which are the agents.
with this subject that i applied Enrich events with IP Geolocation, i have seen that i dont receive only source ip without destination
would you suggest for me to use this code instead the one above of yours? in form to have source and destination for the geomap
thank you Juan
PUT _ingest/pipeline/geoip-info
{
"description": "Add geoip info",
"processors": [
{
"geoip": {
"field": "client.ip",
"target_field": "client.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "source.ip",
"target_field": "source.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "destination.ip",
"target_field": "destination.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "server.ip",
"target_field": "server.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "host.ip",
"target_field": "host.geo",
"ignore_missing": true
}
}
]
}
Juan Pablo Saez
Jul 24, 2019, 7:44:39 AM7/24/19
to Wazuh mailing list
Hello Alvaro,
For the use case where an alert has IP source and IP destination:
Let's review how the current configuration works to understand what changes you should make if you want to get a destination IP and use it for GeoIP:
- Wazuh uses alerts.json as output file. Flebeat reads from alert.json file and renames the alert fields data.win.eventdata.ipAddress, data.srcip and
into @src_ip. This rename is defined in Filebeat configuration. For your use case: you should rename alert fields containing destination IP's i.e: data.dstip into a new field, i.e: @dst_ip. Take @src_ip rename blocks as an example. We recommend that you review alerts on Kibana in search of fields containing destination IP's.
- The ingest pipeline in Enrich events with IP Geolocation document renames the @src_ip field into the Geolocation field. Then removes @src_ip field. For your use case: You should replicate the two configuration blocks(Geoip, remove) for @dst_ip. If an event contains @dst_ip and @src_ip with this configuration only one of the two locations will be saved as they point to the same Geolocation.location data structure. To solve this problem we will distinguish between the Geolocation properties of @src_ip and those of @dst_ip. For @src_ip "properties": ["city_name_src", "country_name_src", "region_name_src", "location_src"] and for @dst_ip "properties": ["city_name_dst", "country_name_dst", "region_name_dst", "location_dst"]
- The geolocation fields are established in the Elasticsearch Wazuh template. For your use case: You must update these fields to match the ones in the ingest pipeline. If you modify the Wazuh template, remember that this applies to indexes not yet created. Those already created need to be reindexed to change their mapping.
- The Geomap info is displayed in a Coordinate map visualization on Kibana Wazuh app. For your use case: You should create 2 separate visualizations, one for locations coming from @src_ip and one for locations coming from @dst_ip
For the use case where an event has only ip destination:
- You just have to rename fields containing IP destinations i.e: data.dstip into @dst_ip on Filebeat configuration. This way you would have a map that combines source Geoip's with destination Geoip's. This configuration has two downsides:
- On the same map are mixed alerts with src GeoIP and dst GeoIP that have no relationship between them.
- If an alert has src_ip and dst_ip as we have just one location, only one of these two IP's will be taken into account.
I think the first config option comes closer to the result you want.
On the other hand, in upcoming releases, we will include improvement for the integration with Elastic where everything will be configured by default and where you will be able to add more fields in a simpler way.
Please, let me know if it helps.
Kind regards, Juan Pablo Sáez
Alvaro Victoriano
Jul 24, 2019, 8:03:34 PM7/24/19
to Wazuh mailing list
Thank you so much Juan
i have done the first two parts, but i couldnt with the third which is about indexing, i just edited the file wazuh-template.json then i didnt see any changes
so i went to get the indexes of wazuh using kibana developers api but i didnt see what i have edited in the file, so i tried to modify the index of wazuh using PUT , but it wasnt aceptable cz the field are not available
could you help me in that part please? i did the first two correctly?
Thank you
Juan Pablo Saez
Jul 25, 2019, 5:13:46 AM7/25/19
to Wazuh mailing list
Hi again Alvaro,
I've found a better solution, let's go with it:
- The first part stays the same: You have to add the rename for data.dstip to @dst_ip. I think your first part is correct. Anyway, I'll add this example block below:- rename:
fields:
- from: "data.dstip"
to: "@dst_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.dstip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- The second part is different:
- To start we stop the filebeat service:# systemctl stop filebeat
- Then we will restore the original Wazuh-template because we don't need to modify it: Please, launch step 3 commands of Elastic installation document to reinstall Wazuh-template.
- Now
it's time to create the right Elastic ingest pipeline. In the message
above we used different Geolocation attributes depending on the @src_ip
or @dest_ip entry. Now I propose you to use two different objects with
the same attributes: Geolocation_src and Geolocation_dst. Just copy it:curl -X PUT "YOURELASTICIP:9200/_ingest/pipeline/geoip" -H 'Content-Type: application/json' -d'
{
"description" : "Add geoip info",
"processors" : [
{
"geoip" : {
- "field" : "@src_ip",
"target_field": "GeoLocation_src",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure" : true
}
},
{
"remove": {
"field": "@src_ip",
"ignore_missing": true,
"ignore_failure" : true
}
},
{
"geoip" : {
"field" : "@dst_ip",
"target_field": "GeoLocation_dst",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure" : true
}
},
{
"remove": {
"field": "@dst_ip",
"ignore_missing": true,
"ignore_failure" : true
}
}
]
}
'- If it works, Elastic should reply with {"acknowledged":true}
- If it works, Elastic should reply with {"acknowledged":true}
- For the third step, please, follow this document in our wazuh-kibana-app repository Wiki to reindex your wazuh-alerts* index.
- Let's start filebeat again:# systemctl start filebeat
- If everything has worked, alerts with @src_ip field will contain a Geolocation_src object and alerts with @dst_ip field will contain a Geolocation_dst object. Some alerts can contain both.
- You should re-generate the @src_ip Coordinates Map again: the new object is called Geolocation_src, not Geolocation. On the other hand, you should create a new Coordinates Map for @dst_ip - Geolocation_dst.
Please, let me know if it helps.
Greetings, Juan Pablo Sáez
Juan Pablo Saez
Jul 26, 2019, 2:56:41 AM7/26/19
to Wazuh mailing list
Hi Alvaro,
New indexes are created with those fields in them. You won't have to reindex each time you create a new index.
Plase, count on us if you need more help. Kind regards,
Juan Pablo Sáez
Alvaro Victoriano
Jul 26, 2019, 1:43:11 PM7/26/19
to Wazuh mailing list
I think i could understand it fine now after many test
the problem was in the third step
for now let me comment for you what i have done
1- Editing filebeat.yml and add a new fields:
- from: "data.dstip" ....
2- PUT _ingest/pipeline/geoip (here was the problem of misunderstanding, so i can see the target of the logs (data.dstip) are going to the GeoLocation_dst feild which is not included of the wazuh templat for indexing.
3- So that i have to modify it and i add a new feild Geolocation_dst and giving it his properties ("city_name", "country_name", "location") so that can be indexed.
for now i should wait for the new indexes.
thank you so much Juan
Juan Pablo Saez
Jul 31, 2019, 4:54:33 AM7/31/19
to Wazuh mailing list
Hi again Alvaro,
I'm sorry for the late reply,
3- So that i have to modify it and i add a new feild Geolocation_dst and giving it his properties ("city_name", "country_name", "location") so that can be indexed.
- Yes, you need to add the new fields(Geolocation_dst and Geolocation_src) to the template. The template indicates how the index will be created.
- Once the template has been edited, please, follow this document in our wazuh-kibana-app repository Wiki to reindex your wazuh-alerts* index.
Greetings, Juan Pablo Sáez
Blason R
Jul 31, 2019, 1:28:30 PM7/31/19
to Alvaro Victoriano, Wazuh mailing list
It should be any challenge if geo data or point are appearing in your indices. Then its just a matter of creating Visualization.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/177de3d7-8932-4dc0-aa9f-25237a3505ec%40googlegroups.com.
Alvaro Victoriano
Aug 1, 2019, 12:21:03 PM8/1/19
to Wazuh mailing list
Allready done!
Thank you so much Juan, you were so helpfull
Reply all
Reply to author
Forward
0 new messages