How write a request ?
160 views
Skip to first unread message
Nemo191 Nm
Mar 18, 2024, 10:49:24 AMMar 18
to Wazuh | Mailing List
Please tell me. I need to find a user blocking event for 30 days from
18:00 to 20:00 how do I write a request, tried through filters, it
doesn't work?
Manuel Alejandro Roldan Mella
Mar 19, 2024, 12:04:34 AMMar 19
to Wazuh | Mailing List
Hi Nemo191,
Please, try with this filter:
{
"filters": {
"date": {
"from": "now-30d/d",
"to": "now"
},
"query": {
"rule.groups": "authentication_fail",
"agent.name": "your-agent-name"
},
"timeframe": {
"from": "18:00:00",
"to": "20:00:00"
}
}
}
I hope this helps
Please, try with this filter:
{
"filters": {
"date": {
"from": "now-30d/d",
"to": "now"
},
"query": {
"rule.groups": "authentication_fail",
"agent.name": "your-agent-name"
},
"timeframe": {
"from": "18:00:00",
"to": "20:00:00"
}
}
}
I hope this helps
Nemo191 Nm
Mar 19, 2024, 3:09:55 AMMar 19
to Wazuh | Mailing List
Thanks for the help. I'm sorry, I'm new to wazuh, but where should I insert this query?
вторник, 19 марта 2024 г. в 07:04:34 UTC+3, Manuel Alejandro Roldan Mella:
Nemo191 Nm
Mar 19, 2024, 3:35:53 AMMar 19
to Wazuh | Mailing List
The search is needed on all agents
вторник, 19 марта 2024 г. в 10:09:55 UTC+3, Nemo191 Nm:
Manuel Alejandro Roldan Mella
Mar 22, 2024, 8:30:25 AMMar 22
to Wazuh | Mailing List
Hi Nemo,
I would recommend that you check out the official documentation page dedicated to Wazuh Dashboard queries. You can find a broad overview and detailed instructions here: Wazuh Dashboard Queries.
This resource will guide you through creating and managing queries within the Wazuh Dashboard, offering insights into data filtering, search capabilities, and customization to suit your specific needs.
If you have any further questions after reviewing the documentation, please ask!
I would recommend that you check out the official documentation page dedicated to Wazuh Dashboard queries. You can find a broad overview and detailed instructions here: Wazuh Dashboard Queries.
This resource will guide you through creating and managing queries within the Wazuh Dashboard, offering insights into data filtering, search capabilities, and customization to suit your specific needs.
If you have any further questions after reviewing the documentation, please ask!
Nemo191 Nm
Mar 22, 2024, 8:58:53 AMMar 22
to Wazuh | Mailing List
Thanks, I've already looked there.
пятница, 22 марта 2024 г. в 15:30:25 UTC+3, Manuel Alejandro Roldan Mella:
Nemo191 Nm
Mar 22, 2024, 9:50:59 AMMar 22
to Wazuh | Mailing List
Please look at the request code
{
"filters": {
"date": {
"from": "now-30d/d",
"to": "now"
},
"query": {
"data.win.eventdata.TargetUserName": "root",
"rule.description": "User account locked out (multiple login errors)"
},
"timeframe": {
"from": "18:00:00",
"to": "20:00:00"
}
}
}
I noticed two fields: "data.win.eventdata.TargetUserName": "root",
is a "rule.description": "User account locked out (multiple login errors)"
But a request error is returned.
"filters": {
"date": {
"from": "now-30d/d",
"to": "now"
},
"query": {
"rule.description": "User account locked out (multiple login errors)"
},
"timeframe": {
"from": "18:00:00",
"to": "20:00:00"
}
}
}
is a "rule.description": "User account locked out (multiple login errors)"
But a request error is returned.
I put the request code in the Edit filter, right?
Bad Request
parsing_exception
unknown query [filters]
Wrapper@https://10.0.2.15/47302/bundles/core/core.entry.js:15:558736
_createSuperInternal@https://10.0.2.15/47302/bundles/core/core.entry.js:15:557690
HttpFetchError@https://10.0.2.15/47302/bundles/core/core.entry.js:15:560748
_callee3$@https://10.0.2.15/47302/bundles/core/core.entry.js:15:585158
defineIteratorMethods/</<@https://10.0.2.15/47302/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:788105
fetch_asyncGeneratorStep@https://10.0.2.15/47302/bundles/core/core.entry.js:15:578070
_next@https://10.0.2.15/47302/bundles/core/core.entry.js:15:578410
пятница, 22 марта 2024 г. в 15:58:53 UTC+3, Nemo191 Nm:
Manuel Alejandro Roldan Mella
Mar 24, 2024, 11:20:11 PMMar 24
to Wazuh | Mailing List
Hi Nemo,
It seems you've encountered a parsing_exception due to the usage of unrecognized filters. I recommend restructuring your query:
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now"
}
}
},
{
"term": {
"data.win.eventdata.TargetUserName.keyword": "root"
}
},
{
"match": {
"rule.description": "User account locked out (multiple login errors)"
}
}
]
}
}
}
I hope this helps
Regards
It seems you've encountered a parsing_exception due to the usage of unrecognized filters. I recommend restructuring your query:
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now"
}
}
},
{
"term": {
"data.win.eventdata.TargetUserName.keyword": "root"
}
},
{
"match": {
"rule.description": "User account locked out (multiple login errors)"
}
}
}
}
}
I hope this helps
Regards
Nemo191 Nm
Mar 25, 2024, 5:13:02 AMMar 25
to Wazuh | Mailing List
Hello. Thank you for your help.
The code forgot :
"timeframe": {
"from": "18:00:00",
" to": "20:00:00"
}
I tried running your code
I have a message:
Expand your time range
One or more of the indices you’re looking at contains a date field. Your query may not match anything in the current time range, or there may not be any data at all in the currently selected time range. You can try changing the time range to one which contains data.
Although I set the date range from 2023
to the current time.
and when I added the time range, from 18:00 - 20:00, an error appeared: An erroneous request.
It seems that the time range does not work.
The code forgot :
"timeframe": {
"from": "18:00:00",
" to": "20:00:00"
}
I have a message:
Expand your time range
One or more of the indices you’re looking at contains a date field. Your query may not match anything in the current time range, or there may not be any data at all in the currently selected time range. You can try changing the time range to one which contains data.
Although I set the date range from 2023
to the current time.
and when I added the time range, from 18:00 - 20:00, an error appeared: An erroneous request.
It seems that the time range does not work.
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now"
}
}
},
{
"term": {
"data.win.eventdata.TargetUserName.keyword": "root"
}
},
{
"match": {
"rule.description": "User account locked out (multiple login errors)"
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now"
}
}
},
{
"term": {
"data.win.eventdata.TargetUserName.keyword": "root"
}
},
{
"match": {
"rule.description": "User account locked out (multiple login errors)"
},
"timeframe": {
"from": "18:00:00",
"to": "20:00:00"
}
}
"timeframe": {
"from": "18:00:00",
"to": "20:00:00"
}
}
]
}
}
}
}
}
}
понедельник, 25 марта 2024 г. в 06:20:11 UTC+3, Manuel Alejandro Roldan Mella:
Manuel Roldan
Mar 28, 2024, 11:59:22 PMMar 28
to Wazuh | Mailing List
Hi Nemo,
Thanks for your follow-up. The issue with the time range is due to the "timeframe" clause not being part of Elasticsearch's standard query syntax, which Wazuh uses for data queries. To filter events between 18:00 and 20:00, you'll need to use a script within your query range. Here's a modified version of your query to achieve this:
{
"query": {
"bool": {
"must": [
{
"script": {
"script": {
"source": "doc['@timestamp'].value.getHour() >= params.hour_start && doc['@timestamp'].value.getHour() < params.hour_end",
"params": {
"hour_start": 18,
"hour_end": 20
}
}
}
},
{
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now"
}
}
},
{
"term": {
"data.win.eventdata.TargetUserName.keyword": "root"
}
},
{
"match": {
"rule.description": "User account locked out (multiple login errors)"
}
}
]
}
}
}
I hope this helps
Thanks for your follow-up. The issue with the time range is due to the "timeframe" clause not being part of Elasticsearch's standard query syntax, which Wazuh uses for data queries. To filter events between 18:00 and 20:00, you'll need to use a script within your query range. Here's a modified version of your query to achieve this:
{
"query": {
"bool": {
"must": [
{
"script": {
"script": {
"source": "doc['@timestamp'].value.getHour() >= params.hour_start && doc['@timestamp'].value.getHour() < params.hour_end",
"params": {
"hour_start": 18,
"hour_end": 20
}
}
}
},
{
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now"
}
}
},
{
"term": {
"data.win.eventdata.TargetUserName.keyword": "root"
}
},
{
"match": {
"rule.description": "User account locked out (multiple login errors)"
}
}
]
}
}
}
I hope this helps
Nemo191 Nm
Mar 29, 2024, 4:43:51 AMMar 29
to Wazuh | Mailing List
Thanks for the help! I checked the operation of this code, a message appears: "No results match your search criteria
Expand your time range"
I've been setting the range for 1 year in filters in Opensearch Dashboards, I'm attaching screenshots, maybe I'm doing something wrong.
At least 3 events in 30 days occurred after 18:00.
Am I inserting the code correctly, in the window: EDIT FILTER I clicked "Edit as Query DSL", I did not insert anything in the FIELD field?
I am attaching screenshots, please take a look.
Expand your time range"
I've been setting the range for 1 year in filters in Opensearch Dashboards, I'm attaching screenshots, maybe I'm doing something wrong.
At least 3 events in 30 days occurred after 18:00.
Am I inserting the code correctly, in the window: EDIT FILTER I clicked "Edit as Query DSL", I did not insert anything in the FIELD field?
I am attaching screenshots, please take a look.
пятница, 29 марта 2024 г. в 06:59:22 UTC+3, Manuel Roldan:
Manuel Roldan
Apr 1, 2024, 9:12:54 AMApr 1
to Wazuh | Mailing List
Hi Nemo,
Everything seems right, I'll check deeper and get back to you soon.
Everything seems right, I'll check deeper and get back to you soon.
Nemo191 Nm
Apr 1, 2024, 10:00:54 AMApr 1
to Wazuh | Mailing List
Thank you!
понедельник, 1 апреля 2024 г. в 16:12:54 UTC+3, Manuel Roldan:
Manuel Roldan
Apr 16, 2024, 11:37:12 PMApr 16
to Wazuh | Mailing List
Hi Nemo,
I'm sorry for not getting back to you sooner. I've reviewed the filter settings you mentioned. Here are a few checks you might want to perform:
Regards
I'm sorry for not getting back to you sooner. I've reviewed the filter settings you mentioned. Here are a few checks you might want to perform:
- Server Time Zone: Ensure it matches the expected time for your logs.
- Date Range: Confirm the events are within the last 30 days.
- User Field: Check that data.win.eventdata.TargetUserName.keyword contains "root".
- Rule Description: Make sure it matches exactly as stored in the logs.
- Indices: Ensure you search the correct indices where these logs are stored.
Regards
Nemo191 Nm
Apr 17, 2024, 3:08:40 AMApr 17
to Wazuh | Mailing List
Hi. Thanks for the help, but so far I haven't found any errors.
среда, 17 апреля 2024 г. в 06:37:12 UTC+3, Manuel Roldan:
Manuel Alejandro Roldan Mella
Apr 17, 2024, 11:44:43 PMApr 17
to Wazuh | Mailing List
Hi Nemo,
To further assist you, I have a few more questions:
- Log Verification: Can you confirm if you see any relevant logs in the alerts.json file that match your criteria but are not showing up in your queries? This can help determine the issue with the query or the data itself.
- Recent Changes: Have any recent changes to the configuration or updates in Wazuh that might affect log processing?
Elasticsearch Health: Can you check Elasticsearch's health status to ensure it's functioning properly and all indices are up to date?
- Log Samples: Could you provide examples of log entries that you believe should match the query? This can help identify a mismatch in field values or configurations.
Nemo191 Nm
May 2, 2024, 9:40:57 AMMay 2
to Wazuh | Mailing List
Hello. Take a look at this. Corrected only only:
"data.win.eventdata.TargetUserName ": "Targ"
"rule.description": " Windows User Logoff ."
Does not work.
"data.win.eventdata.TargetUserName ": "Targ"
"rule.description": " Windows User Logoff ."
Does not work.
четверг, 18 апреля 2024 г. в 06:44:43 UTC+3, Manuel Alejandro Roldan Mella:
Reply all
Reply to author
Forward
0 new messages