Dashboard

[Mehwish Tariq]

Hello,

I have many question!

1. I am making dashboard  I want to extract more information like "In DC-PROD-C1 which Person with id get successful login"

2. I want to add more status in rule.description: Descending  like "Windows Logon Success" type,  How can I add more status ??

[Juan Carlos]

Hello Mehwish,

When creating a visualization to list unique events, rather than aggregate them, it is recommended to use a Saved Search instead of a table, because tables will multiply the amount of searches performed for each column it contains.

To create a Saved Search go to Discover and search for the field names you wish to see in your table of events and click on the blue circle to with a plus symbol to add them as a column:

Alternatively you may unfurl any of the events and select specific fields which may be of interest to you:

For Windows you may select for example the data.win.eventdata.targetUserName to gain information on who signed in and to determine the type of logon you may use data.win.eventdata.logonType, which is a numerical value provided by Microsoft, here's a good explanation of what each of these numbers mean: https://eventlogxp.com/blog/logon-type-what-does-it-mean/

If you wish you may create unique rules that identify each of these logins by their LogonType number and provide them a written description right in the table. More information on how to create custom rules can be found here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

for example a rule that explains that a LogonType 7 has occurred can be:

 <rule id="100003" level="0">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.logonType">7</field>
    <description>Windows Unlock Event. This workstation was unlocked.</description>
  </rule>

Let us know if you have any more questions,

Best Regards,

Juan Carlos Tello

[Mehwish Tariq]

1. I couldn't able to extract out more information using " data.win.eventdata.targetUserName".  

 

2. I want to show these detailed information divided in each column separately in dashboard  

3. Where I can run this given script?

<rule id="100003" level="0">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.logonType">7</field>
    <description>Windows Unlock Event. This workstation was unlocked.</description>
  </rule>

[Juan Carlos]

Hello Mehwish,

On Wednesday, June 16, 2021 at 9:36:07 AM UTC+2 mehwish wrote:

1. I couldn't able to extract out more information using " data.win.eventdata.targetUserName". 

 

Not sure what other information you're looking to extract. I see you have a column for the person who performed the log off events. 

2. I want to show these detailed information divided in each column separately in dashboard  

You may select as many fields as you wish for the dashboard by following the steps mentioned before.

3. Where I can run this given script?

<rule id="100003" level="3">

    <if_sid>60106</if_sid>
    <field name="win.eventdata.logonType">7</field>
    <description>Windows Unlock Event. This workstation was unlocked.</description>
  </rule>

You may add this custom rule by going into Wazuh>Management>Rules

 

Once there you may select Add new rules file or filter existing rules to show only Custom rules and click on an existing custom rule file.

It is important to include the rule within a group, so if you haven't already created another group then paste the following in the rule editor:

<group name="custom">

  <rule id="100003" level="3">

    <if_sid>60106</if_sid>
    <field name="win.eventdata.logonType">7</field>
    <description>Windows Unlock Event. This workstation was unlocked.</description>
  </rule>

</group>

[Mehwish Tariq]

Hello,

If I want to extract out information by applying any condition for example "In my dashboard there are all users who faced failed login error due to incorrect password, if I want to apply condition to extract out that top 10 users who applied wrong password more than 5 times. 

so where I can run this query and apply condition other than applying filter. 

TIA,

[Juan Carlos Tello]

Hello Mehwish,

You may create a custom dashboard to receive the most frequent values observed for a field considering previously applied filters.

In order to do so you may go into Visualize or you can add them directly as you create them into a Dashboard.

You may Create a New visualization by clicking on Create new:

be sure to select wazuh-alerts-* as the source of information and if you select for example a table visualization you can then add a bucket to split the rows by values:

Then select Terms as the type of aggregation, the field data.dstuser and the size of the bucket to be 10, then click update:

Finally you can make it so that a filter is built into the visualization so it is not necessary to create it each time:

After saving you will be able to visualize this specific table by accessing this dashboard.

Please let know if I answered your question.

Best Regards,

Juan Carlos Tello

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/eef50e51-4198-4bef-86a0-a3797a1b407cn%40googlegroups.com.