Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Detecting ransomware activity with Wazuh
851 views
Skip to first unread message
HA
Mar 27, 2023, 10:31:41 AM3/27/23
to Wazuh mailing list
Hi all,
I followed the guide to detect ransomware activity (count number file created and deleted over a period of time).
It's working fine but I would like to get agent name and groups (custom label called agent.labels.group in my config) in the details of my triggered action (I'm using email for the moment).
The default message is composed of
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
Any idea ??
Regards,
HA
Lucas Pascual
Mar 27, 2023, 11:03:05 AM3/27/23
to Wazuh mailing list
Hello HA, thank you for using Wazuh!.
I will review your question, and will be back with a response as soon as possible!.
Regards,
I will review your question, and will be back with a response as soon as possible!.
Regards,
Lucas Pascual
Mar 28, 2023, 5:31:27 PM3/28/23
to Wazuh mailing list
Hi HA,
I had to check on the lab in order to validate the steps; here they are:
Labels will need to be used in order to be able to receive the group information through Alerting.
_ Add labels to the agent's ossec.conf, and restart the agent afterwards.
*****************************************************************************************
<labels>
<label key="agentname">pc</label>
<label key="agentgroup">windows</label>
</labels>
*****************************************************************************************
_ Test the alarm you will be working with to confirm the labels are shown, for example:
_ Filter by alarm or whichever information you need, I will be using event.id 554.
Go to the upper right corner "Inspect" > "Request" (extract/copy the query section). This will be used later on.
_ A new Monitor instance will be needed that will make use of the query content.
_Go to "Alerting" > "Monitors" > "Create Monitor". For Monitor Details, select "Per query monitor" > "Extraction query editor"
Message text:
*****************************************************************************************
Testing by triggering the alarm again, should send out an email as configured:
Note there is two ways to display the agent name, but only one for the group, which is by the use of labels.
I hope this helps!.
I had to check on the lab in order to validate the steps; here they are:
Labels will need to be used in order to be able to receive the group information through Alerting.
_ Add labels to the agent's ossec.conf, and restart the agent afterwards.
*****************************************************************************************
<labels>
<label key="agentname">pc</label>
<label key="agentgroup">windows</label>
</labels>
*****************************************************************************************
_ Test the alarm you will be working with to confirm the labels are shown, for example:
_ Filter by alarm or whichever information you need, I will be using event.id 554.
Go to the upper right corner "Inspect" > "Request" (extract/copy the query section). This will be used later on.
_ A new Monitor instance will be needed that will make use of the query content.
_Go to "Alerting" > "Monitors" > "Create Monitor". For Monitor Details, select "Per query monitor" > "Extraction query editor"
_ Data source will be wazuh-alerts*
_ Insert the query extracted previously, editing the from-to fields
_ "Trigger" set as follows by default for this demonstration (events > 0):
_ Actions will have the information below:
_ Insert the query extracted previously, editing the from-to fields
{
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"match_phrase": {
"rule.id": "554"
}
},
{
"range": {
"timestamp": {
"gte": "now-10m",
"lte": "now",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
}
}
_ "Trigger" set as follows by default for this demonstration (events > 0):
_ Actions will have the information below:
Message text:
*****************************************************************************************
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Occurrences: {{ctx.results.0.hits.total.value}}
{{#ctx.results.0.hits.hits}}
More Information:
- Agent name: {{_source.agent.name}}
- Agent name by label: {{_source.agent.name}}
- Agent group by label: {{_source.agent.labels.agentgroup}}
{{/ctx.results.0.hits.hits}}
{{#ctx.results.0.hits.hits}}
More Information:
- Agent name: {{_source.agent.name}}
- Agent name by label: {{_source.agent.name}}
- Agent group by label: {{_source.agent.labels.agentgroup}}
{{/ctx.results.0.hits.hits}}
*****************************************************************************************
Testing by triggering the alarm again, should send out an email as configured:
Note there is two ways to display the agent name, but only one for the group, which is by the use of labels.
I hope this helps!.
HA
Mar 30, 2023, 2:29:23 AM3/30/23
to Wazuh mailing list
Hi,
It works !!
Just two questions...
1) is it possible to merge the two triggers (rule 553 and 554). This is the normal behaviour of ransomware (create new file and after delete them) ?
2) in the mail body, the agent name, label and group appears as number of times the file created/deleted. Is it possible to get only one ?
Regards,
HA
Lucas Pascual
Apr 3, 2023, 4:00:21 PM4/3/23
to Wazuh mailing list
Hello HA,
I am not sure I understand your use case; my first response would be that it is not possible to merge alerts, however, you could overwrite any rule, and set its level to zero, so it will not display an alert on dashboard.
Regarding the ransomware behavior, that is correct, it is how it is described in https://wazuh.com/blog/preventing-and-detecting-ransomware-with-wazuh/
As for your second question, alerting will trigger the notification with an entry for every occurrence, as its origin is a query of the alert in the first place. When having more than one alert, it will fire more than one occurrence, which will replicate the output on the to email alert; hope this makes sense. You can also review the Alerting Plugin documentation here.
Regards,
I am not sure I understand your use case; my first response would be that it is not possible to merge alerts, however, you could overwrite any rule, and set its level to zero, so it will not display an alert on dashboard.
Regarding the ransomware behavior, that is correct, it is how it is described in https://wazuh.com/blog/preventing-and-detecting-ransomware-with-wazuh/
As for your second question, alerting will trigger the notification with an entry for every occurrence, as its origin is a query of the alert in the first place. When having more than one alert, it will fire more than one occurrence, which will replicate the output on the to email alert; hope this makes sense. You can also review the Alerting Plugin documentation here.
Regards,
Reply all
Reply to author
Forward
0 new messages