Enrich events with geoIP information | Filebeat Reference [7.12] | Elastic

[Prachi Katakwar]

Hi Team,

 

Could someone explain me this link with example/use case?

 

Enrich events with geoIP information | Filebeat Reference [7.12] | Elastic

 

 

BR

//Prachi

[Sandra Ocando]

Hello Prachi,

The default Wazuh installation includes an ingest pipeline that uses the Elasticsearch geoIP processor to enrich events with geographical information associated with their source IP. This pipeline also includes the special decoded fields for Windows events, AWS and GCP.

https://github.com/wazuh/wazuh/blob/4.1/extensions/filebeat/7.x/wazuh-module/alerts/ingest/pipeline.json#L7

This way, all Wazuh alerts that include a source IP are enriched with Geographical information which provides valuable context when doing incident analysis. For example, an 'sshd: authentication failed' alert includes the coordinates of its source IP as well as the City, Region and Country name (see attached image).

This information can be easily visualized in maps, in the attached images you'll find a map with the source IP geographical information for the 'sshd: authentication failed' alerts.

I hope you find this information useful, please do not hesitate to ask us any other doubts.

Best regards,
Sandra.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DBAPR07MB6920902AFFA1B508FEA9FACB96269%40DBAPR07MB6920.eurprd07.prod.outlook.com.

[Prachi Katakwar]

Hi Sandra,

 

Thank you for the quick response, and I have understood the logic as well with the example you gave below, thank you so much.

 

Also executed the commands given in : Enrich events with geoIP information | Filebeat Reference [7.12] | Elastic

 

Got Stuck in 3^rd Step

 

 

2. Included the pipeline in filebeat.yml

 

 

[root@sekaissecdetection filebeat]# cat filebeat.yml

# Wazuh - Filebeat configuration file

filebeat.modules:

  - module: wazuh

    alerts:

      enabled: true

    archives:

      enabled: false

 

setup.template.json.enabled: true

setup.template.json.path: '/etc/filebeat/wazuh-template.json'

setup.template.json.name: 'wazuh'

setup.template.overwrite: true

setup.ilm.enabled: false

 

output.elasticsearch.hosts: ['http://10.64.97.71:9200']

pipeline: geoip-info

 

 

3. Stuck in 3^rd Step, to run the filebeat? What should I do here..

 

[root@sekaissecdetection filebeat]# ./filebeat.yml -e

-bash: ./filebeat.yml: Permission denied

[root@sekaissecdetection filebeat]# ./filebeat -e

-bash: ./filebeat: No such file or directory

 

 

BR

//Prachi

[Sandra Ocando]

Hello Prachi,

The issue with the 3rd step is that you need to remove the .yml extension, the command should be: ./filebeat -e . The Elasticsearch article is also assuming you're running this in the directory where the filebeat executable is. If filebeat is installed on a directory of the system's PATH, then running filebeat -e is sufficient.

In your case, I assume Filebeat may already be running as a service, so I would recommend using systemctl restart filebeat instead.

May I ask you what your use case is? I see that you are using the Wazuh module so your alerts are already enriched with geographical information.

Best regards,
Sandra.

[Prachi Katakwar]

Halloj Sandra,

 

GodMorgon

 

My use case is to get the alerts with geographical information, like you showed with an example in yesterday’s email.

 

If a user is logging to a server , his/her geographical location could be displayed on Kibana Map. This is what we want to achieve.

 

I did the 3 steps given in the link..what to do next?

 

Like as of now, if I click on Security Events->Authentication Failure->Click on one the security Alert

 

Not getting the geo location, basically we want geo locations for our events.

 

[Sandra Ocando]

Hi Prachi,

Could you please check if your alert has an external IP in the data.win.eventdata.ipAddress field? If the IP is from a local network no geographical information will be available.

What version of Wazuh and Elastic Stack are you using? Are you using Logstash?

Could you please share your /etc/filebeat/filebeat.yml and the ingest pipeline /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json?

Best regards,
Sandra.

[Prachi Katakwar]

Hej Sandra,

 

Very Sorry for the delay in reply, but was trying to connect the dots of this use case.

Discussed  this  case with my management, we have Pulse secure connect in our environment , where we could trace each and every user logging in our environment.

 

Is there a way , by which Wazuh could read the logs from  Pulse secure , in this way we know who is accessing our servers and from where they are accessing it, to be located on Kibana Map through PCI DSS Compliance?

 

Are these 4 main things Pulse secure, Wazuh , Kibana Map, PCI DSS making any sense or could we join them to make some sense?☹

 

This was done by some employee in my organization long back in 2014 when Wazuh was quite new..the same is expected from me now and yes I am finding it interesting to research and implement😊

 

To answer your questions..

What version of Wazuh and Elastic Stack are you using? Are you using Logstash?

Ans: No we are not using Logstash,  all the below components in one single Cent OS 8 VM.

Components	Previous Version	Upgraded Version
Wazuh	3.12	4.1
Elasticsearch	7.6	7.10.2
Filebeat	7.6	7.10.2
Kibana	7.6	7.10.2

 

 

Could you please share your /etc/filebeat/filebeat.yml and the ingest pipeline /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json?

 

Ans: Yes please find the attached.

 

Waiting to hear from you.

[Sandra Ocando]

Hello Prachi,

Wazuh can read Pulse Secure logs via syslog, to do so enable syslog output in Pulse Secure https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/Configuring%20Syslog.htm and configure Wazuh to read these logs via remote syslog https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog.

Once Wazuh receives these logs, you need to create custom rules and decoders to analyze them, here's more information on how to do so: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

If a source IP is present in the Pulse Secure logs, the alerts triggered by the new rules will contain this information and can be enriched with geographical information in the default Wazuh pipeline. The final result will allow you to create a map visualization in Kibana using this information.

Please don't hesitate to ask any other doubt you may have.

Best regards,
Sandra.

[Prachi Katakwar]

Hi Sandra,

 

Thank you for the quick and intelligent response, have done the following steps:

 

STEP 1:  IN Pulse secure connect, since we are concerned with the user access , where the users IP is coming and want to trace the location of user in Kibana Map, as you specified in the link below have done the changes in Pulse secure for User access: log category

 

In select Events to log: Mostly all the events were checked by default , so I let it as it is and only added the IP of the Wazuh server. Is it correct?

 

 

STEP 2:  Then on the Wazuh server end , in the ossec.conf file , we have already allowed the IP range from the Access server:

 

  <remote>

   <connection>syslog</connection>

   <allowed-ips>10.64.96.0/24</allowed-ips>

   <port>513</port>

   <protocol>tcp</protocol>

  </remote>

 

Now how to know whether Wazuh is receiving the User logs from Pulse secure connect?

I am going through the documentation : https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

 

But not very sure on how to create a rule such that I could track users location through his/her IP address? And how to bring the final result to create a map visualization in Kibana?

 

Sorry I am asking too many question in one go☹

[Prachi Katakwar]

Hi Sandra,

 

Waiting curiously for your reply.

 

BR

//Prachi

[Sandra Ocando]

Hello Prachi,

In your configuration, I see you are using different communication protocols (UDP in Pulse Secure and TCP in Wazuh remote syslog configuration). Select one protocol and change the configuration accordingly.

To check if Wazuh is receiving the Pulse Secure logs enable the logall option https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall. Note that this option will store all events whether they trigger a rule or not so disable it after testing to avoid excessive disk storage consumption.  After editing the ossec.conf remember to restart the manager so changes take effect.

Look for Pulse Secure logs in /var/ossec/logs/archives/archives.log. Send us an example of the Pulse Secure logs that you want to monitor so we can give you an example of a custom rule and decoder.

Best regards,
Sandra.

[Prachi Katakwar]

Hi Team,

 

If Sandra is occupied in something, could anyone else please assist me on this.

 

Its important for my team, they are waiting curiously for the wonders in Wazuh.

 

BR

//Prachi

 

From: Sandra Ocando <sandra...@wazuh.com>

Sent: den 2 juni 2021 09:29

[Prachi Katakwar]

Halloj Sandra,

 

 

Yessssssss it worksssssssssssssssssssssssssss..yipppyyyyyyy, Wazuh has hired all the geniuses of the World!!!

 

Step 1:  This is the Pulse Secure Event: It states a syslog connection is established

 

 

Step 2: After enabling logall, could see the user logs which we want from the pulse secure. So below is the example here user abc is logging from 122.175.229.202 IP address to our site , so want to map the geographical location of this IP( 122.175.229.202 ) on Kibana Map? So whenever any user logins our site , we would get its geo location on our Kibana Map, how to do this interesting thing?

 

 

As of now, have disabled logall to avoid disk space consumption.

 

For more information, In Pulse secure, under User Access Logs, the below user is logged from the IP address to our site, we want the geographical location of this user on Kibana, so whenever there is a user access log in Pulse secure, we get the geolocation on Kibana Map.

 

 

 

BR

//Prachi

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2BFx3jy9OnXeSm1K7TK_LYQ%2BxFcCFsGadTWw%3D7OUHRqonYunnA%40mail.gmail.com.

[Sandra Ocando]

Hi Prachi,

The next step is to create custom rules and decoders por these Pulse Secure logs. Could you send me a plain text log?

In the image you sent the log messages are cropped, after the source IP [122.175.229.202] there's part of the message that is not shown.

Best regards,
Sandra.

[Prachi Katakwar]

Hi Sandra,

 

GodMorgon, yes surely.

 

Case 1 2021 Jun 07 10:10:15 sekaissecdetection->10.64.96.74 1 2021-06-07T10:10:15+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-07 10:10:15 - seliinfw00006 - [27.57.26.176] HUBSEKA\ecdghiv(E3 Users)[E3 Administrator Role] - Remote address for user HUBSEKA\ecdghiv/E3 Users changed from 27.57.26.176 to 122.164.87.244.

 

OR

 

Case 2 2021 Jun 07 10:05:27 sekaissecdetection->10.64.96.74 1 2021-06-07T10:05:27+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-07 10:05:27 - seliinfw00006 - [111.125.192.108] HUBSEKA\emaball(CUST)[] - Primary authentication successful for HUBSEKA\emaball/vmxe014-vmxe064 from 111.125.192.108

 

So we need to map the geographical location through IP address  from where the user is trying to access our site as per the logs in Pulse secure which are now reflecting in Wazuh.In  Case 1 , it is [27.57.26.176]  And Case 2 it is , [111.125.192.108].

[Prachi Katakwar]

Hi Sandra,

 

Sorry to bother you again and again, I am eagerly waiting for your reply.

[Sandra Ocando]

Hello Prachi,

I'm sending custom rules and decoders for the logs you sent earlier.

You can add the following decoders in the /var/ossec/etc/decoders/local_decoder.xml  file:

<decoder name="pulsesecure">
    <prematch>\d+ \S+ \S+ PulseSecure:</prematch>
</decoder>
<!--

1 2021-06-07T10:10:15+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-07 10:10:15 - seliinfw00006 - [27.57.26.176] HUBSEKA\ecdghiv(E3 Users)[E3 Administrator Role] - Remote address for user HUBSEKA\ecdghiv/E3 Users changed from 27.57.26.176 to 122.164.87.244.

-->
<decoder name="pulsesecure_address_changed">
    <parent>pulsesecure</parent>
    <prematch>Remote address for user</prematch>
    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) - \S+ - \[(\S*)\] .+ - Remote address for user (\S+) Users changed from \S+ to (\S+)\.</regex>
    <order>pulsecure_time,srcip,user,dstip</order>
</decoder>
<!--

1 2021-06-07T10:05:27+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-07 10:05:27 - seliinfw00006 - [111.125.192.108] HUBSEKA\emaball(CUST)[] - Primary authentication successful for HUBSEKA\emaball/vmxe014-vmxe064 from 111.125.192.108

-->
<decoder name="pulsesecure_primary_authentication">
    <prematch>Primary authentication</prematch>
    <parent>pulsesecure</parent>
    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) .+ - Primary authentication successful for (\S+) from (\S+)</regex>
    <order>pulsecure_time,user,srcip</order>
</decoder>

And the following rules in /var/ossec/etc/rules/local_rules.xml:

<group name="Pulse Secure">
  <rule id="100002" level="0" noalert="1">
    <decoded_as>pulsesecure</decoded_as>
    <description>Pulse Secure messages grouped.</description>
  </rule>
  <rule id="100003" level="3">
    <if_sid>100002</if_sid>
    <match>Remote address</match>
    <description>Pulse secure: Remote address for user changed </description>
  </rule>
  <rule id="100004" level="3">
    <if_sid>100002</if_sid>
    <match>Primary authentication successful</match>
    <description>Pulse Secure:Primary authentication successful</description>
  </rule>
</group>

Please don't forget to restart the Wazuh manager after adding the new rules and decoders.

Using the Wazuh default pipeline the generated alerts will be enriched with geographical information (see attached image).

You can customize these decoders and rules to include the most relevant information for you as well as an alert level according to your needs. You can also expand the decoders and rules to analyze all the relevant Pulse Secure logs. For more information see our documentation https://documentation.wazuh.com/current/user-manual/ruleset/custom.html , https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html?highlight=regex#pcre2-syntax .

To create a custom map visualization go to the Kibana top left menu and select: Visualize >  Create a new visualization > Coordinate Map. Select wazuh-alerts-* as source.  Create a filter with your custom Pulse Secure rules, for example 100003 and 100004, and add a new bucket with Agregation Geohash and Field GeoLocation.location and update the map (for more information see attached image).

Best regards,
Sandra.

[Prachi Katakwar]

Hi Sandra,

 

It’s completely disheartening to say , as I followed all the steps as you suggested below , but not getting the output.

 

Not sure what is wrong, How can we check , please guide me Sandra, I am feeling really  really bad, somewhere I am doing the mistake.

 

Do I have to enable the logall as yes in ossec.conf?

 

STEP 1 :[root@sekaissecdetection ~]# cat /var/ossec/etc/decoders/local_decoder.xml

<!-- Local Decoders -->

 

<!-- Modify it at your will. -->

<!-- Copyright (C) 2015-2020, Wazuh Inc. -->

 

<!--

  - Allowed static fields:

  - location   - where the log came from (only on FTS)

  - srcuser    - extracts the source username

  - dstuser    - extracts the destination (target) username

  - user       - an alias to dstuser (only one of the two can be used)

 - srcip      - source ip

  - dstip      - dst ip

  - srcport    - source port

  - dstport    - destination port

  - protocol   - protocol

  - id         - event id

  - url        - url of the event

  - action     - event action (deny, drop, accept, etc)

  - status     - event status (success, failure, etc)

  - extra_data - Any extra data

-->

 

<decoder name="local_decoder_example">

    <program_name>local_decoder_example</program_name>

</decoder>

 

<decoder name="example">

  <program_name>^example</program_name>

</decoder>

 

<decoder name="pulsesecure">

    <prematch>\d+ \S+ \S+ PulseSecure:</prematch>

</decoder>

 

<decoder name="pulsesecure_address_changed">

    <parent>pulsesecure</parent>

    <prematch>Remote address for user</prematch>

    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) - \S+ - \[(\S*)\] .+ - Remote address for user (\S+) Users changed from \S+ to (\S+)\.</regex>

    <order>pulsecure_time,srcip,user,dstip</order>

</decoder>

 

<decoder name="pulsesecure_primary_authentication">

    <prematch>Primary authentication</prematch>

    <parent>pulsesecure</parent>

    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) .+ - Primary authentication successful for (\S+) from (\S+)</regex>

    <order>pulsecure_time,user,srcip</order>

</decoder>

 

 

STEP 2:  [root@sekaissecdetection ~]# cat /var/ossec/etc/rules/local_rules.xml

!-- Local rules -->

 

<!-- Modify it at your will. -->

<!-- Copyright (C) 2015-2020, Wazuh Inc. -->

 

<!-- Example -->

<group name="local,syslog,sshd,">

 

  <!--

  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2

  -->

  <rule id="100001" level="5">

    <if_sid>5716</if_sid>

    <srcip>1.1.1.1</srcip>

    <description>sshd: authentication failed from IP 1.1.1.1.</description>

    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>

  </rule>

 

  <rule id="60612" level="3" overwrite="yes">

    <if_sid>60609</if_sid>

    <field name="win.system.eventID">^11707$|^1033$</field>

    <description>Application Installed $(win.eventdata.data)</description>

    <options>no_full_log</options>

    <options>no_email_alert</options>

   </rule>

 

  <rule id="100002" level="0" noalert="1">

    <decoded_as>pulsesecure</decoded_as>

    <description>Pulse Secure messages grouped.</description>

  </rule>

  <rule id="100003" level="3">

    <if_sid>100002</if_sid>

    <match>Remote address</match>

    <description>Pulse secure: Remote address for user changed </description>

  </rule>

  <rule id="100004" level="3">

    <if_sid>100002</if_sid>

    <match>Primary authentication successful</match>

    <description>Pulse Secure:Primary authentication successful</description>

  </rule>

 

 

</group>

 

Then restarted Wazuh manager, but If I go to Security module then click on Events: cannot see something like your screenshot

 

 

Also if I go to Kibana-> Visualize-> create Visualization-> Click on coordinate Map it comes like below:

 

 

BR

//Prachi

 

 

 

 

 

 

From: Sandra Ocando <sandra...@wazuh.com>

Sent: den 7 juni 2021 15:45

[Sandra Ocando]

Hello Prachi,

Using ossec-logtest you can test if the new rules and decoders are working properly, for example by doing:

echo '1 2021-06-07T10:05:27+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-07 10:05:27 - seliinfw00006 - [111.125.192.108] HUBSEKA\emaball(CUST)[] - Primary authentication successful for HUBSEKA\emaball/vmxe014-vmxe064 from 111.125.192.108' | /var/ossec/bin/ossec-logtest

You should get a response like this:

**Phase 1: Completed pre-decoding.
       full event: '1 2021-06-07T10:05:27+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-07 10:05:27 - seliinfw00006 - [111.125.192.108] HUBSEKA\emaball(CUST)[] - Primary authentication successful for HUBSEKA\emaball/vmxe014-vmxe064 from 111.125.192.108'
       timestamp: '(null)'
       hostname: 'localhost'
       program_name: '(null)'
       log: '1 2021-06-07T10:05:27+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-07 10:05:27 - seliinfw00006 - [111.125.192.108] HUBSEKA\emaball(CUST)[] - Primary authentication successful for HUBSEKA\emaball/vmxe014-vmxe064 from 111.125.192.108'
**Phase 2: Completed decoding.
       decoder: 'pulsesecure'
       pulsecure_time: '2021-06-07 10:05:27'
       dstuser: 'HUBSEKA\emaball/vmxe014-vmxe064'
       srcip: '111.125.192.108'
**Phase 3: Completed filtering (rules).
       Rule id: '100004'
       Level: '3'
       Description: 'Pulse Secure:Primary authentication successful'
**Alert to be generated.

To answer your question, there's no need to enable logall unless you want to verify that the manager is receiving the logs from Pulse Secure.

With the new custom rules, alerts will be triggered when the manager receives logs from Pulse Secure stating 'Primary authentication successful' or 'Remote address for user changed' like the ones you sent me. If the manager does not receive these logs then no alerts will be generated, can you check if the manager is receiving such logs? Take into account that the alerts will be triggered by logs received after the new rules and decoders were included and the manager was restarted.

Best regards,
Sandra

[Prachi Katakwar]

Hi Sandra,

 

Apologies to bother you again and again, As your below trail email , tested it and got the same output as yours, that means whatever we have done is correct.

 

Now , on Wazuh getting some logs as below from Pulse secure:

 

2021 Jun 08 17:03:29 sekaissecdetection->10.64.96.74 1 2021-06-08T17:03:29+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-08 17:03:29 - seliinfw00006 - [106.212.64.153] HUBSEKA\epargro(CUST)[CUST-SEKAISTS-UNT-12] - Login succeeded for HUBSEKA\epargro/CUST (session:097c5795) from 106.212.64.153 with Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.81.

 

2021 Jun 08 17:01:14 sekaissecdetection->10.64.96.74 1 2021-06-08T17:01:14+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-08 17:01:14 - seliinfw00006 - [106.198.60.17] HUBSEKA\ENIKMXX(CUST)[CUST-SEKAISTS-UNT-06] - Login succeeded for HUBSEKA\ENIKMXX/CUST (session:90da3fe0) from 106.198.60.17 with Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36.

 

Step 1:  So in local decoder ,  /var/ossec/etc/decoders/local_decoder.xml, appended the below same as primary authentication

Is it correct code?

 

<decoder name="pulsesecure_Login_succeeded">

    <prematch>Login succeeded</prematch>

    <parent>pulsesecure</parent>

    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) .+ - Login succeeded for (\S+) from (\S+)</regex>

    <order>pulsecure_time,user,srcip</order>

</decoder>

 

Step 2: In  /var/ossec/etc/rules/local_rules.xml, appended the below same as primary authentication

 

Is it correct rule?

 

<rule id="100005" level="3">

    <if_sid>100002</if_sid>

    <match>Login succeeded</match>

    <description>Pulse Secure:Login succeeded</description>

  </rule>

</group>

[Sandra Ocando]

Hello Prachi,

I tested your decoder and the source IP was not decoded successfully. This is because these logs, unlike the previous ones, include the session information after the username.

I suggest the following change:

<decoder name="pulsesecure_Login_succeeded">
    <prematch>Login succeeded</prematch>
    <parent>pulsesecure</parent>

    <regex offset="after_parent" type="pcre2">^ - - - (\S+ \S+) - \S+ - \[(\S*)\] .+ - Login succeeded for (\S+) .* from \S+</regex>
    <order>pulsecure_time,srcip,user</order>
</decoder>

With this new decoder you should receive the alerts with the geographical information included (see attached image).

Best regards,
Sandra.

[Prachi Katakwar]

Hi Sandra,

 

I am really not understanding what is blocking for me to get the Geographical locations, just an example:

 

In wazuh, archives .log

 

2021 Jun 09 12:00:14 sekaissecdetection->10.64.96.74 1 2021-06-09T12:00:14+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:00:14 - seliinfw00006 - [117.222.173.34] HUBSEKA\EARCGOP(CUST)[] - Primary authentication successful for HUBSEKA\EARCGOP/vmxe014-vmxe064 from 117.222.173.34

2021 Jun 09 12:00:14 sekaissecdetection->10.64.96.74 1 2021-06-09T12:00:14+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:00:14 - seliinfw00006 - [117.222.173.34] HUBSEKA\EARCGOP(CUST)[CUST-SEKAISTS-UNT-09] - Login succeeded for HUBSEKA\EARCGOP/CUST (session:75023928) from 117.222.173.34 with Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.81.

2021 Jun 09 12:00:19 sekaissecdetection->10.64.96.74 1 2021-06-09T12:00:19+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:00:19 - seliinfw00006 - [117.222.173.34] HUBSEKA\EARCGOP(CUST)[CUST-SEKAISTS-UNT-09] - HTML5 ACL check passed for "rdp" connection to "10.64.98.119" .

2021 Jun 09 12:00:20 sekaissecdetection->10.64.96.74 1 2021-06-09T12:00:20+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:00:20 - seliinfw00006 - [117.222.173.34] HUBSEKA\EARCGOP(CUST)[CUST-SEKAISTS-UNT-09] - Handshake completed successfully for "rdp" connection to "10.64.98.119".

2021 Jun 09 12:00:20 sekaissecdetection->10.64.96.74 1 2021-06-09T12:00:20+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:00:20 - seliinfw00006 - [117.222.173.34] HUBSEKA\EARCGOP(CUST)[CUST-SEKAISTS-UNT-09] - Number of concurrent HTML5 sessions 15.

 

BUT in WAZUH, in the Security Module, event log for the server sekaists-unt-09 , the rule id is not triggered. Also attached filebeat and pipeline.json file.

 

[Sandra Ocando]

Hello Prachi,

Pulse Secure is sending the logs via syslog to the Wazuh manager and so the alerts will be generated on the manager and not the agents. Look for the Pulse Secure alerts in your Wazuh manager and let me know the result.

Best regards,
Sandra.

[Prachi Katakwar]

Hi Sandra,

 

This is from alerts.log on Wazuh manager

 

I have just done the grep of the source IP getting from Pulse secure on alerts.log, completely confused now.

 

Just want to see the users geographical location who login our site on Kibana Map.

 

[root@sekaissecdetection alerts]# grep 117.222.173.34 alerts.log

Src IP: 117.222.173.34

1 2021-06-09T12:00:14+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:00:14 - seliinfw00006 - [117.222.173.34] HUBSEKA\EARCGOP(CUST)[] - Primary authentication successful for HUBSEKA\EARCGOP/vmxe014-vmxe064 from 117.222.173.34

Src IP: 117.222.173.34

1 2021-06-09T12:00:14+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:00:14 - seliinfw00006 - [117.222.173.34] HUBSEKA\EARCGOP(CUST)[CUST-SEKAISTS-UNT-09] - Login succeeded for HUBSEKA\EARCGOP/CUST (session:75023928) from 117.222.173.34 with Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.81.

[root@sekaissecdetection alerts]# grep 157.41.66.26 alerts.log

Src IP: 157.41.66.26

1 2021-06-09T10:17:20+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 10:17:20 - seliinfw00006 - [157.41.66.26] HUBSEKA\ersnpaa(CUST)[] - Primary authentication successful for HUBSEKA\ersnpaa/vmxe014-vmxe064 from 157.41.66.26

Src IP: 157.41.66.26

1 2021-06-09T12:15:53+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:15:53 - seliinfw00006 - [157.41.66.26] HUBSEKA\ersnpaa(CUST)[] - Primary authentication successful for HUBSEKA\ersnpaa/vmxe014-vmxe064 from 157.41.66.26

Src IP: 157.41.66.26

1 2021-06-09T12:15:53+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:15:53 - seliinfw00006 - [157.41.66.26] HUBSEKA\ersnpaa(CUST)[CUST-SEKAISTS-UNT-09] - Login succeeded for HUBSEKA\ersnpaa/CUST (session:3819182f) from 157.41.66.26 with Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36.

[root@sekaissecdetection alerts]# grep 85.224.163.13 alerts.log

Src IP: 85.224.163.13

1 2021-06-09T12:45:37+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:45:37 - seliinfw00006 - [85.224.163.13] HUBSEKA\epkhast(E3 Users)[] - Primary authentication successful for HUBSEKA\epkhast/vmxe014-vmxe064 from 85.224.163.13

Src IP: 85.224.163.13

1 2021-06-09T12:45:37+02:00 seliinfw00006.hubseka.ericsson.se PulseSecure: - - - 2021-06-09 12:45:37 - seliinfw00006 - [85.224.163.13] HUBSEKA\epkhast(E3 Users)[E3 Administrator Role] - Login succeeded for HUBSEKA\epkhast/E3 Users (session:afabf14b) from 85.224.163.13 with Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42.

[root@sekaissecdetection alerts]#

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2BFx3jyBcf7xsMfdWFNXhyT3MnUgQgTZYuEC%3DyXQ6NUjfC21vg%40mail.gmail.com.

[Sandra Ocando]

Hi Prachi,

The alerts will be triggered on agent 000 (Wazuh manager), you can filter it in your Wazuh Kibana plugin.

Best regards,
Sandra.

[Prachi Katakwar]

Hi Sandra,

 

Sorry, not able to figure it out..Could you please send some screenshots?

[Prachi Katakwar]

Hi Sandra,

 

I tried something, but no results for selected time range, given as 24 hours

 

[Prachi Katakwar]

Hi Sandra and Team,

 

Please could you help me to resolve this faster, what is breaking in the middle..not feeling happy:(

 

Even when we have the external IP logs on wazuh , why then also not able to get the geographical locations…

[Sandra Ocando]

Hello Prachi,

To search for the manager's alerts you could search for "agent.id":"000" or under Modules > Security Events > Events  select the "agent.id" field from the left column and click on the plus sign to apply the filter (see attached images).  Also you can filter the alerts by rule number, for example, rule.id:100005.

Attached you'll find screenshots with examples.

Cheers,

Sandra.

[Prachi Katakwar]

Hi Sandraaaaaaaaaaaaaaaaaaaa,

 

Thank you so muchhhhhhhhhhhhhhh, yes I was not seeing this correctly, my bad and take accountability of my mistake.

 

Could see the IP , but not geo location, please guide on how to map this on Kibanaaaaaaaaaaaaaa

 

 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2BFx3jxVtM5vjThpfpMQ0z8UOQDyHS56Lt3xcOPJbY1HLARtHg%40mail.gmail.com.

[Prachi Katakwar]

[Prachi Katakwar]

Hi Sandra,

 

For all the logs from Pulse secure on Wazuh Manager , getting the below IP for location,

 

Like the way you got geo country, lattitude, city name , srcIP, data.dstuser, not getting those fields, please guide.

 

I want to complete this.

[Prachi Katakwar]

Hi Sandra,

 

Only few basic steps are left, we are done with the main thing, please guide on the below trail email.

 

Waiting anxiously to hear from you.

 

Regards,

[Sandra Ocando]

Hi Prachi,

To see the enriched alerts use the Events tabs instead of the Dashboard one. Go to Modules > Security Events > Events, look for your rule and see the details (see attached image).

Best regards,
Sandra.

[Prachi Katakwar]

Hi Sandra,

 

Amazingggggg, its coming in the below screenshot, our last step is mapping on Kibana..Please guide me on that.

 

Waiting eagerly for mapping on Kibana.

[Sandra Ocando]

Hello Prachi,

To create a new map visualization go to your top left corner menu and select Maps.

- Select Add Layer > Documents.

- Select wazuh-alerts-* index pattern.

- Click on Add layer.

- Select a layer name and click on Save & close on the bottom right corner.

You can also add filters, like field "rule.id" operator "is" value "100005" to select your custom rule.

Finally, save your map. See attached images for more details.

Cheers,
Sandra.