Enrich data with wazuh

[Monica Wife]

 Hi, I started working on a project in wazuh, actually, it's my first time creating rules and decoders and I was wondering if is there any way to enrich the processed data?. For example, I created a decoder to get the IP address from a log, is there any way to tell Wazuh to get that IP address and get more information from it?  

[Gonzalo Membrillo Solbes]

Hello Monica,

Wazuh can only extract information that is already present in a log. If the information you want to use isn't in that particular log, your decoder won't be able to extract it. For more information on rules and decoders, you can visit the following guides and documentation:

https://documentation.wazuh.com/current/user-manual/ruleset/

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

As for additional information from an extracted field, in particular the source IP address, Wazuh can extract geolocation data from it as long as the decoder extracted the IP address following a certain naming convention. In Wazuh default configuration, Geolocation is only performed on fields data.srcip, data.win.eventdata.ipAddress and data.aws.sourceIPAddress. If your field isn't named like this, you can add it to the  /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json file with the other Geolocation fields.

Once you have done this, run the following command:

filebeat setup --pipelines

When you are done, check if your new rules and decoders show geolocation data on alerts. Keep in mind that the source IP address needs to be public, as private addresses don't have geolocation data linked to them.

I hope you find this helpful. Feel free to contact us again should you require to do so.

Best Regards,

Gonzalo