Last 24 hours alerts severity
100 views
Skip to first unread message
Kuldeep Panchal
Oct 1, 2024, 4:34:30 AM10/1/24
to Wazuh | Mailing List
Hello
How can i get the details of last 24 hours alerts for the critical, high, medium and low severity data.
I want to two types of data as per below screenshots.
Can you please share, How can i get the data using Wazuh API or any other way to get it.
Thank You
Kuldeep
victor....@wazuh.com
Oct 1, 2024, 7:37:56 AM10/1/24
to Wazuh | Mailing List
Hello,
You can retrieve specific alerts from the Wazuh Indexer API by filtering based on certain parameters. For example, to get critical severity alerts collected on 01/10/2024, you can use the following command:
curl -k -u admin:<INDEXER_ADMIN_PASS> "https://<INDEXER_IP>:9200/wazuh-alerts-4.x-2024.10.01/_search?pretty=true" -H 'Content-Type: application/json' -d '
{
"query": {
"bool": {
"must": [
{
"range": {
"rule.level": {
"gte": 15
}
}
}
]
}
}
}'
This query fetches all alerts collected on 01/10/2024 with a rule level greater than or equal to 15.
The query targets a specific alert index (wazuh-alerts-4.x-2024.10.01/). However, more refined filtering is possible. For instance, you can modify the query to retrieve the same results using a timestamp filter, searching over all the alerts indices:
curl -k -u admin:<INDEXER_ADMIN_PASS> "https://<INDEXER_IP>:9200/wazuh-alerts-4.x-*/_search?pretty=true" -H 'Content-Type: application/json' -d '
{
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-1d/d",
"lt": "now"
}
}
},
{
"range": {
"rule.level": {
"gte": 15
}
}
}
]
}
}
}'
You can achieve highly customizable alert management by utilizing these kinds of queries in a custom script automated via cron or another method.
Feel free to reach out if you have further questions.
You can retrieve specific alerts from the Wazuh Indexer API by filtering based on certain parameters. For example, to get critical severity alerts collected on 01/10/2024, you can use the following command:
curl -k -u admin:<INDEXER_ADMIN_PASS> "https://<INDEXER_IP>:9200/wazuh-alerts-4.x-2024.10.01/_search?pretty=true" -H 'Content-Type: application/json' -d '
{
"query": {
"bool": {
"must": [
{
"range": {
"rule.level": {
"gte": 15
}
}
}
]
}
}
}'
The query targets a specific alert index (wazuh-alerts-4.x-2024.10.01/). However, more refined filtering is possible. For instance, you can modify the query to retrieve the same results using a timestamp filter, searching over all the alerts indices:
curl -k -u admin:<INDEXER_ADMIN_PASS> "https://<INDEXER_IP>:9200/wazuh-alerts-4.x-*/_search?pretty=true" -H 'Content-Type: application/json' -d '
{
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-1d/d",
"lt": "now"
}
}
},
{
"range": {
"rule.level": {
"gte": 15
}
}
}
]
}
}
}'
You can achieve highly customizable alert management by utilizing these kinds of queries in a custom script automated via cron or another method.
Additionally, review the reports and email configuration to determine if they could meet your requirements. For further details, you can refer to the documentation on report generation and the guide on configuring email alerts, which may offer additional options that suit your needs.
Kuldeep Panchal
Oct 29, 2024, 6:29:59 AM10/29/24
to Wazuh | Mailing List
Hello,
Using below parameter and getting data in the response
But in this query filter i am able to get total hits count 10000 only and unable to get more than 10000.
Can anyone help me out how can i get more than 10000 total hits count if system has.
Using below parameter and getting data in the response
{
"stored_fields": [
"*"
],
"script_fields": {},
"_source": {
"excludes": [
"@timestamp"
]
},
"query": {
"bool": {
"must": [],
"filter": [
{
"range": {
"timestamp": {
"gte": "now-24h",
"lte": "now",
"format": "epoch_millis"
}
}
},
{
"range": {
"rule.level": {
"gte": 7,
"lte": 11
}
}
}
],
"should": [],
"must_not": []
}
}
}
But in this query filter i am able to get total hits count 10000 only and unable to get more than 10000.
Can anyone help me out how can i get more than 10000 total hits count if system has.
Reply all
Reply to author
Forward
0 new messages