сef format on SIEM
639 views
Skip to first unread message
Николай Коротыгин
Jan 10, 2023, 12:47:52 PM1/10/23
to Wazuh mailing list
Hi Wazuh,
We are outputting Manager alert data via syslog in cef format. We are seeing it in our SIEM, however the fields do not seem to be populating as we would like. Can we view and/or modify the cef mappings somehow?
У нашего менеджера есть эта конфигурация системного журнала.![conf[375].png](https://groups.google.com/group/wazuh/attach/128f41c3d06a15/conf%5B375%5D.png?part=0.2&view=1)
For example, I have been testing with file integrity checking and windows logon events. For file integrity checks, I am proved this screen shot in another post.
In our test environment, I have generated a integrity checksum changed alerts. However we cannot see the diff information of what changed in the file. Can we view and/or change the mapping of (in the above example) to be mapped to another standardized field in our SIEM?
red: add fields
yellow: who was attacked
pink: who made the attack
green: with which account
Thank you!
Francisco Tuduri
Jan 10, 2023, 6:17:05 PM1/10/23
to Wazuh mailing list
Hello Nikolay!
Unfortunately it is not possible to configure a different mapping for this CEF format. However, I will run some tests to validate if the formatting is being done as expected.
Meanwhile, as an alternative depending on your system capabilities, keep in mind that Wazuh can also output this alerts in JSON format.
I'll get back to you after I perform these tests.
Regards!
Francisco Tuduri
Jan 11, 2023, 1:23:23 PM1/11/23
to Wazuh mailing list
Hello again Nikolay!
Well, I've run some tests and it turns out that there is a bug on the cef output of integrity checks alerts. I've created an issue to track this.
In the meantime, I'm afraid that the only syslog output format to get all the fields of these types of alerts is json.
Here is a sample of the json output for an integrity chesksum changed alert (indented for clarity):
{
"timestamp": "2023-01-11T13:59:40.934+0000",
"rule": {
"level": 7,
"description": "Integrity checksum changed.",
"id": "550",
"mitre": {
"id": [
"T1565.001"
],
"tactic": [
"Impact"
],
"technique": [
"Stored Data Manipulation"
]
},
"firedtimes": 1,
"mail": false,
"groups": [
"ossec",
"syscheck",
"syscheck_entry_modified",
"syscheck_file"
],
"pci_dss": [
"11.5"
],
"gpg13": [
"4.11"
],
"gdpr": [
"II_5.1.f"
],
"hipaa": [
"164.312.c.1",
"164.312.c.2"
],
"nist_800_53": [
"SI.7"
],
"tsc": [
"PI1.4",
"PI1.5",
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
]
},
"agent": {
"id": "000",
"name": "jammy"
},
"manager": {
"name": "jammy"
},
"id": "1673445580.74157",
"full_log": "File '/tmp/fimtest/file1.txt' modified\nMode: scheduled\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '26' to '38'\nOld modification time was: '1673433838', now it is '1673445576'\nOld md5sum was: 'b68b9043dd0388d841cbe5739b6798b2'\nNew md5sum is : '8198d71ad8b05ca1b2a710035d58a974'\nOld sha1sum was: '9b658b6d431abdd572715ff5eba311ee6888292d'\nNew sha1sum is : '5cca1ef5f966e93434ae0c39e874d719fa8b86a4'\nOld sha256sum was: '45e825aa2112b884c2a07122d3a2f00dd7d148d3ea1eb8ca669a4c171de4e068'\nNew sha256sum is : '93d7ef4081d14b386221eb05d69eb4b213f8235497f75255ad7220eb2db7a060'\n",
"syscheck": {
"path": "/tmp/fimtest/file1.txt",
"mode": "scheduled",
"size_before": "26",
"size_after": "38",
"perm_after": "rw-r--r--",
"uid_after": "0",
"gid_after": "0",
"md5_before": "b68b9043dd0388d841cbe5739b6798b2",
"md5_after": "8198d71ad8b05ca1b2a710035d58a974",
"sha1_before": "9b658b6d431abdd572715ff5eba311ee6888292d",
"sha1_after": "5cca1ef5f966e93434ae0c39e874d719fa8b86a4",
"sha256_before": "45e825aa2112b884c2a07122d3a2f00dd7d148d3ea1eb8ca669a4c171de4e068",
"sha256_after": "93d7ef4081d14b386221eb05d69eb4b213f8235497f75255ad7220eb2db7a060",
"uname_after": "root",
"gname_after": "root",
"mtime_before": "2023-01-11T10:43:58",
"mtime_after": "2023-01-11T13:59:36",
"inode_after": 267554,
"diff": "2a3\n> Third line.\n",
"changed_attributes": [
"size",
"mtime",
"md5",
"sha1",
"sha256"
],
"event": "modified"
},
"decoder": {
"name": "syscheck_integrity_changed"
},
"location": "syscheck"
}
"timestamp": "2023-01-11T13:59:40.934+0000",
"rule": {
"level": 7,
"description": "Integrity checksum changed.",
"id": "550",
"mitre": {
"id": [
"T1565.001"
],
"tactic": [
"Impact"
],
"technique": [
"Stored Data Manipulation"
]
},
"firedtimes": 1,
"mail": false,
"groups": [
"ossec",
"syscheck",
"syscheck_entry_modified",
"syscheck_file"
],
"pci_dss": [
"11.5"
],
"gpg13": [
"4.11"
],
"gdpr": [
"II_5.1.f"
],
"hipaa": [
"164.312.c.1",
"164.312.c.2"
],
"nist_800_53": [
"SI.7"
],
"tsc": [
"PI1.4",
"PI1.5",
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
]
},
"agent": {
"id": "000",
"name": "jammy"
},
"manager": {
"name": "jammy"
},
"id": "1673445580.74157",
"full_log": "File '/tmp/fimtest/file1.txt' modified\nMode: scheduled\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '26' to '38'\nOld modification time was: '1673433838', now it is '1673445576'\nOld md5sum was: 'b68b9043dd0388d841cbe5739b6798b2'\nNew md5sum is : '8198d71ad8b05ca1b2a710035d58a974'\nOld sha1sum was: '9b658b6d431abdd572715ff5eba311ee6888292d'\nNew sha1sum is : '5cca1ef5f966e93434ae0c39e874d719fa8b86a4'\nOld sha256sum was: '45e825aa2112b884c2a07122d3a2f00dd7d148d3ea1eb8ca669a4c171de4e068'\nNew sha256sum is : '93d7ef4081d14b386221eb05d69eb4b213f8235497f75255ad7220eb2db7a060'\n",
"syscheck": {
"path": "/tmp/fimtest/file1.txt",
"mode": "scheduled",
"size_before": "26",
"size_after": "38",
"perm_after": "rw-r--r--",
"uid_after": "0",
"gid_after": "0",
"md5_before": "b68b9043dd0388d841cbe5739b6798b2",
"md5_after": "8198d71ad8b05ca1b2a710035d58a974",
"sha1_before": "9b658b6d431abdd572715ff5eba311ee6888292d",
"sha1_after": "5cca1ef5f966e93434ae0c39e874d719fa8b86a4",
"sha256_before": "45e825aa2112b884c2a07122d3a2f00dd7d148d3ea1eb8ca669a4c171de4e068",
"sha256_after": "93d7ef4081d14b386221eb05d69eb4b213f8235497f75255ad7220eb2db7a060",
"uname_after": "root",
"gname_after": "root",
"mtime_before": "2023-01-11T10:43:58",
"mtime_after": "2023-01-11T13:59:36",
"inode_after": 267554,
"diff": "2a3\n> Third line.\n",
"changed_attributes": [
"size",
"mtime",
"md5",
"sha1",
"sha256"
],
"event": "modified"
},
"decoder": {
"name": "syscheck_integrity_changed"
},
"location": "syscheck"
}
Regards!
Николай Коротыгин
Jan 18, 2023, 1:20:38 PM1/18/23
to Wazuh mailing list
Hello!
Many thanks for the work done.
I apologize for such a long reply.
Now I'm testing sending to the MySQL server (the database is installed on the same server where Wazuh server manager(ossec) on the sources installation guide will be deployed) How to execute the command (make deps && make TARGET=server DATABASE=mysql) offline no internet
среда, 11 января 2023 г. в 21:23:23 UTC+3, francisc...@wazuh.com:
Reply all
Reply to author
Forward
0 new messages