Latest Wazuh not registering GuardDuty events.

[Charles Rawls]

Gentle beings, I am working on a POC for wazuh to replace another SIEM.

I have wazuh running, I have aws integrated,  and cloudtrails works well.   My issue is that I have GuardDuty sending findings to an S3 bucket via firehose, and wazuh polls the s3 Bucket for log entries, but those log entries seem to need to be processed.

GuardDuty was configured as per the documents located at : https://documentation.wazuh.com/current/amazon/services/supported-services/guardduty.html.

The aws wodle stanza from ossec.conf

From my ossec.log

The rule set 0350-amazon_rules.xml, has been modified to remove the guardduty related rule stanzas.

 

From my local_rules.xml

A sample GuardDuty finding from the S3 Bucket; there are ~15 findings available.

{"version":"0","id":"1e1c126c-7a78-2e72-d7e3-1efa095fae63","detail-type":"GuardDuty Finding","source":"aws.guardduty","account":"REDACTED","time":"2023-01-12T19:45:02Z","region":"us-east-1","resources":[],"detail":{"schemaVersion":"2.0","accountId":"REDACTED","region":"us-east-1","partition":"aws","id":"d2c2295b5354b8ac1b1a199661f74619","arn":"arn:aws:guardduty:us-east-1:REDACTED:detector/24bf5150a84b720da33d19f827d3eacc/finding/d2c2295b5354b8ac1b1a199661f74619","type":"Policy:IAMUser/RootCredentialUsage","resource":{"resourceType":"AccessKey","accessKeyDetails":{"accessKeyId":"","principalId":"REDACTED","userType":"Root","userName":"Root"}},"service":{"serviceName":"guardduty","detectorId":"24bf5150a84b720da33d19f827d3eacc","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"ConsoleLogin","serviceName":"signin.amazonaws.com","callerType":"Remote IP","remoteIpDetails":{"ipAddressV4":"REDACTED","organization":{"asn":"12271","asnOrg":"TWC-12271-NYC","isp":"Spectrum","org":"Spectrum"},"country":{"countryName":"United States"},"city":{"cityName":"Rhinebeck"},"geoLocation":{"lat":41.9272,"lon":-73.8888}},"affectedResources":{}}},"resourceRole":"TARGET","additionalInfo":{"value":"{}","type":"default"},"eventFirstSeen":"2022-11-07T15:23:28.000Z","eventLastSeen":"2023-01-12T19:35:42.000Z","archived":false,"count":59},"severity":2,"createdAt":"2022-11-07T15:30:12.777Z","updatedAt":"2023-01-12T19:42:57.313Z","title":"API ConsoleLogin was invoked using root credentials.","description":"API ConsoleLogin was invoked using root credentials from IP address REDACTED."}}

The ruletest from the console shows:

In /var/ossec/wodles/aws I have a sqlite db, s3_cloudtrail.db, and it has a guardduty table, but the table is empty.

I am at a loss on how to move forward with this.

[David José Iglesias Lopez]

Hello,

I have done some testing and the above JSON is malformed, as the logtest gets stuck in the decoding part.

After fixing it to be a valid JSON:

root@wazuh-master:/var/ossec# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line

{"integration": "aws", "aws": {"log_info": {"aws_account_alias": "", "log_file": "2023/01/12/19/Guardduty-S3-Local-2-2023-01-12-19-45-03-3c7012bb-9e6c-45f0-8461-7cc36f7e2221", "s3bucket": "legacy-guardduty-bucket"}, "schemaVersion": "2.0", "accountId": "<REDACTED>", "region": "us-east-1", "partition": "aws", "id": "d2c2295b5354b8ac1b1a199661f74619", "arn": "arn:aws:guardduty:us-east-1:<redacte>:detector/24bf5150a84b720da33d19f827d3eacc/finding/d2c2295b5354b8ac1b1a199661f74619", "type": "Policy:IAMUser/RootCredentialUsage", "resource": {"resourceType": "AccessKey", "accessKeyDetails": {"accessKeyId": "", "principalId": "9<REDACTED>", "userType": "Root", "userName": "Root"}}, "service": {"serviceName": "guardduty", "detectorId": "24bf5150a84b720da33d19f827d3eacc", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "callerType": "Remote IP", "remoteIpDetails": {"ipAddressV4": "<REDACTED>", "organization": {"asn": "12271", "asnOrg": "TWC-12271-NYC", "isp": "Spectrum", "org": "Spectrum"}, "country": {"countryName": "United States"}, "city": {"cityName": "<REDACTED>"}, "geoLocation": {"lat": "", "lon": ""}}, "affectedResources": {}}}, "resourceRole": "TARGET", "additionalInfo": {"value": "{}", "type": "default"}, "eventFirstSeen": "2022-11-07T15:23:28.000Z", "eventLastSeen": "2023-01-12T19:35:42.000Z", "archived": false, "count": 59}, "severity": 2, "createdAt": "2022-11-07T15:30:12.777Z", "updatedAt": "2023-01-12T19:42:57.313Z", "title": "API ConsoleLogin was invoked using root credentials.", "description": "API ConsoleLogin was invoked using root credentials from IP address 24.168.55.161.", "source": "guardduty"}}

**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
aws.accountId: '<REDACTED>'
aws.arn: 'arn:aws:guardduty:us-east-1:<redacte>:detector/24bf5150a84b720da33d19f827d3eacc/finding/d2c2295b5354b8ac1b1a199661f74619'
aws.createdAt: '2022-11-07T15:30:12.777Z'
aws.description: 'API ConsoleLogin was invoked using root credentials from IP address 24.168.55.161.'
aws.id: 'd2c2295b5354b8ac1b1a199661f74619'
aws.log_info.log_file: '2023/01/12/19/Guardduty-S3-Local-2-2023-01-12-19-45-03-3c7012bb-9e6c-45f0-8461-7cc36f7e2221'
aws.log_info.s3bucket: 'legacy-guardduty-bucket'
aws.partition: 'aws'
aws.region: 'us-east-1'
aws.resource.accessKeyDetails.principalId: '9<REDACTED>'
aws.resource.accessKeyDetails.userName: 'Root'
aws.resource.accessKeyDetails.userType: 'Root'
aws.resource.resourceType: 'AccessKey'
aws.schemaVersion: '2.0'
aws.service.action.actionType: 'AWS_API_CALL'
aws.service.action.awsApiCallAction.api: 'ConsoleLogin'
aws.service.action.awsApiCallAction.callerType: 'Remote IP'
aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName: '<REDACTED>'
aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName: 'United States'
aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4: '<REDACTED>'
aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn: '12271'
aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg: 'TWC-12271-NYC'
aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp: 'Spectrum'
aws.service.action.awsApiCallAction.remoteIpDetails.organization.org: 'Spectrum'
aws.service.action.awsApiCallAction.serviceName: 'signin.amazonaws.com'
aws.service.additionalInfo.type: 'default'
aws.service.additionalInfo.value: '{}'
aws.service.archived: 'false'
aws.service.count: '59'
aws.service.detectorId: '24bf5150a84b720da33d19f827d3eacc'
aws.service.eventFirstSeen: '2022-11-07T15:23:28.000Z'
aws.service.eventLastSeen: '2023-01-12T19:35:42.000Z'
aws.service.resourceRole: 'TARGET'
aws.service.serviceName: 'guardduty'
aws.severity: '2'
aws.source: 'guardduty'
aws.title: 'API ConsoleLogin was invoked using root credentials.'
aws.type: 'Policy:IAMUser/RootCredentialUsage'
aws.updatedAt: '2023-01-12T19:42:57.313Z'
integration: 'aws'
**Phase 3: Completed filtering (rules).
id: '80301'
level: '3'
description: 'AWS GuardDuty: AWS_API_CALL - API ConsoleLogin was invoked using root credentials..'
groups: '['amazon', 'aws', 'aws_guardduty']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.

[Charles Rawls]

Well, it appears that AWS has made changes to the firehose, and that is delivering non-valid JSON data ..  See https://stackoverflow.com/questions/34468319/reading-the-data-written-to-s3-by-amazon-kinesis-firehose-stream

Some form of interstitial step will be required, or the JSON decoder will need to be modified to handle this condition.

I suspect this will impact all AWS services delivering data to S3 via firehose, inspector, config, health, and trusted advisor...   So some form of remediation will be necessary.

Root cause found; I'm not crazy, and when delivered, proper data wazuh works.

[Charles Rawls]

An interesting find, was found ...   https://github.com/wazuh/wazuh/issues/4950. Reviewing and cogitating on the next steps.  This may handle the GuardDuty ingestion ...