Correlation in wazuh
100 views
Skip to first unread message
fazeen alan
Sep 25, 2024, 1:36:04 AM9/25/24
to Wazuh | Mailing List
Hi,
I would like to know if there is any possibility to achieve correlation in Wazuh by writing custom correlation rules. If this is possible, could you please guide me on how to write correlation rules within the Wazuh environment? Any documentation, examples, or best practices you could provide would be greatly appreciated.
Thanks,
Fazeen Alan
hasitha.u...@wazuh.com
Sep 25, 2024, 6:17:54 AM9/25/24
to Wazuh | Mailing List
Hello fazeen,
I've created a scenario where suspicious traffic is detected from a firewall (FIREWALL1), followed by four failed login attempts from a host (Host1).
Sample Logs:
Host1 Log:
{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}
Firewall1 Log:
{"date":"03/01/2023 10:37:20","srcip":"192.168.1.23","name":"FIREWALL1","status":"suspicious"}
Sample Correlation Rules:
Rule 10010: This rule triggers when any traffic is flagged as suspicious by the firewall.
<rule id="10010" level="3">
<decoded_as>json</decoded_as>
<match>suspicious</match>
<description>FIREWALL1 suspicious traffic</description>
</rule>
Rule 10011: This rule triggers when a login failure occurs on Host1.
<rule id="10011" level="3">
<decoded_as>json</decoded_as>
<match>failure</match>
<description>Host1 login failure</description>
</rule>
Rule 10012: This rule triggers when there are 4 failed login attempts from Host1 within 20 seconds, all from the same source IP.
<rule id="10012" level="6" frequency="4" timeframe="20">
<if_matched_sid>10011</if_matched_sid>
<group>suspicious_event</group>
<same_srcip/>
<description>Multiple Host1 login failures</description>
</rule>
Rule 10013: This correlation rule triggers when suspicious traffic (matched by rule 10010) is followed by multiple login failures from the same IP (matched by the suspicious_event group).
<rule id="10013" level="10" timeframe="30">
<if_matched_sid>10010</if_matched_sid>
<if_group>suspicious_event</if_group>
<same_srcip/>
<description>Multiple login failures from suspicious traffic</description>
</rule>
To create custom rules, follow this guide:
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
If you have any additional logic or ideas for correlation, feel free to share them.
Let me know if you need further assistance!
Regards,
Hasitha Upekshitha
I've created a scenario where suspicious traffic is detected from a firewall (FIREWALL1), followed by four failed login attempts from a host (Host1).
Sample Logs:
Host1 Log:
{"date":"03/01/2023 10:37:18","srcip":"192.168.1.23","name":"Host1","login":"failure"}
Firewall1 Log:
{"date":"03/01/2023 10:37:20","srcip":"192.168.1.23","name":"FIREWALL1","status":"suspicious"}
Sample Correlation Rules:
Rule 10010: This rule triggers when any traffic is flagged as suspicious by the firewall.
<rule id="10010" level="3">
<decoded_as>json</decoded_as>
<match>suspicious</match>
<description>FIREWALL1 suspicious traffic</description>
</rule>
Rule 10011: This rule triggers when a login failure occurs on Host1.
<rule id="10011" level="3">
<decoded_as>json</decoded_as>
<match>failure</match>
<description>Host1 login failure</description>
</rule>
Rule 10012: This rule triggers when there are 4 failed login attempts from Host1 within 20 seconds, all from the same source IP.
<rule id="10012" level="6" frequency="4" timeframe="20">
<if_matched_sid>10011</if_matched_sid>
<group>suspicious_event</group>
<same_srcip/>
<description>Multiple Host1 login failures</description>
</rule>
Rule 10013: This correlation rule triggers when suspicious traffic (matched by rule 10010) is followed by multiple login failures from the same IP (matched by the suspicious_event group).
<rule id="10013" level="10" timeframe="30">
<if_matched_sid>10010</if_matched_sid>
<if_group>suspicious_event</if_group>
<same_srcip/>
<description>Multiple login failures from suspicious traffic</description>
</rule>
To create custom rules, follow this guide:
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
If you have any additional logic or ideas for correlation, feel free to share them.
Let me know if you need further assistance!
Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages