How write a request ?

154 views
Skip to first unread message

Nemo191 Nm

unread,
Mar 18, 2024, 10:49:24 AMMar 18
to Wazuh | Mailing List
Please tell me. I need to find a user blocking event for 30 days from 18:00 to 20:00 how do I write a request, tried through filters, it doesn't work?

Manuel Alejandro Roldan Mella

unread,
Mar 19, 2024, 12:04:34 AMMar 19
to Wazuh | Mailing List
Hi Nemo191,

Please, try with this filter:
{
  "filters": {
    "date": {
      "from": "now-30d/d",
      "to": "now"
    },
    "query": {
      "rule.groups": "authentication_fail",
      "agent.name": "your-agent-name"
    },
    "timeframe": {
      "from": "18:00:00",
      "to": "20:00:00"

    }
  }
}

I hope this helps

Nemo191 Nm

unread,
Mar 19, 2024, 3:09:55 AMMar 19
to Wazuh | Mailing List
Thanks for the help. I'm sorry, I'm new to wazuh, but where should I insert this query?

вторник, 19 марта 2024 г. в 07:04:34 UTC+3, Manuel Alejandro Roldan Mella:

Nemo191 Nm

unread,
Mar 19, 2024, 3:35:53 AMMar 19
to Wazuh | Mailing List
The search is needed on all agents

вторник, 19 марта 2024 г. в 10:09:55 UTC+3, Nemo191 Nm:

Manuel Alejandro Roldan Mella

unread,
Mar 22, 2024, 8:30:25 AMMar 22
to Wazuh | Mailing List
Hi Nemo,

 I would recommend that you check out the official documentation page dedicated to Wazuh Dashboard queries. You can find a broad overview and detailed instructions here: Wazuh Dashboard Queries.

This resource will guide you through creating and managing queries within the Wazuh Dashboard, offering insights into data filtering, search capabilities, and customization to suit your specific needs.

If you have any further questions after reviewing the documentation, please ask!

Nemo191 Nm

unread,
Mar 22, 2024, 8:58:53 AMMar 22
to Wazuh | Mailing List
Thanks, I've already looked there.

пятница, 22 марта 2024 г. в 15:30:25 UTC+3, Manuel Alejandro Roldan Mella:

Nemo191 Nm

unread,
Mar 22, 2024, 9:50:59 AMMar 22
to Wazuh | Mailing List
Please look at the request code


{
  "filters": {
    "date": {
      "from": "now-30d/d",
      "to": "now"
    },
    "query": {
      "data.win.eventdata.TargetUserName": "root",
      "rule.description": "User account locked out (multiple login errors)"

    },
    "timeframe": {
      "from": "18:00:00",
      "to": "20:00:00"
    }
  }
}

I noticed two fields: "data.win.eventdata.TargetUserName": "root",
is a  "rule.description": "User account locked out (multiple login errors)"


But a request error is returned.
I put the request code in the Edit filter, right?



Bad Request

parsing_exception

unknown query [filters]

Wrapper@https://10.0.2.15/47302/bundles/core/core.entry.js:15:558736

_createSuperInternal@https://10.0.2.15/47302/bundles/core/core.entry.js:15:557690

HttpFetchError@https://10.0.2.15/47302/bundles/core/core.entry.js:15:560748

_callee3$@https://10.0.2.15/47302/bundles/core/core.entry.js:15:585158

tryCatch@https://10.0.2.15/47302/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:786910

invoke@https://10.0.2.15/47302/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:790934

defineIteratorMethods/</<@https://10.0.2.15/47302/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:788105

fetch_asyncGeneratorStep@https://10.0.2.15/47302/bundles/core/core.entry.js:15:578070

_next@https://10.0.2.15/47302/bundles/core/core.entry.js:15:578410



пятница, 22 марта 2024 г. в 15:58:53 UTC+3, Nemo191 Nm:
Query 02.jpg

Manuel Alejandro Roldan Mella

unread,
Mar 24, 2024, 11:20:11 PMMar 24
to Wazuh | Mailing List
Hi Nemo,

It seems you've encountered a parsing_exception due to the usage of unrecognized filters. I recommend restructuring your query:

{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "gte": "now-30d/d",
              "lte": "now"
            }
          }
        },
        {
          "term": {
            "data.win.eventdata.TargetUserName.keyword": "root"
          }
        },
        {
          "match": {

            "rule.description": "User account locked out (multiple login errors)"
          }
        }
      ]
    }
  }
}

I hope this helps
Regards

Nemo191 Nm

unread,
Mar 25, 2024, 5:13:02 AMMar 25
to Wazuh | Mailing List
Hello. Thank you for your help.

The code forgot :

"timeframe": {
"from": "18:00:00",
" to": "20:00:00"
}

I tried running your code
I have a message:

Expand your time range

One or more of the indices you’re looking at contains a date field. Your query may not match anything in the current time range, or there may not be any data at all in the currently selected time range. You can try changing the time range to one which contains data.


Although I set the date range from 2023
to the current time.

and when I added the time range, from 18:00 - 20:00, an error appeared: An erroneous request.

It seems that the time range does not work.



{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "gte": "now-30d/d",
              "lte": "now"
            }
          }
        },
        {
          "term": {
            "data.win.eventdata.TargetUserName.keyword": "root"
          }
        },
        {
          "match": {

            "rule.description": "User account locked out (multiple login errors)"
          },
"timeframe": {
"from": "18:00:00",
"to": "20:00:00"
            }
        }
      ]
    }
  }
}













понедельник, 25 марта 2024 г. в 06:20:11 UTC+3, Manuel Alejandro Roldan Mella:
003.jpg
004.jpg

Manuel Roldan

unread,
Mar 28, 2024, 11:59:22 PMMar 28
to Wazuh | Mailing List
Hi Nemo,

Thanks for your follow-up. The issue with the time range is due to the "timeframe" clause not being part of Elasticsearch's standard query syntax, which Wazuh uses for data queries. To filter events between 18:00 and 20:00, you'll need to use a script within your query range. Here's a modified version of your query to achieve this:

{
  "query": {
    "bool": {
      "must": [
        {
          "script": {
            "script": {
              "source": "doc['@timestamp'].value.getHour() >= params.hour_start && doc['@timestamp'].value.getHour() < params.hour_end",
              "params": {
                "hour_start": 18,
                "hour_end": 20
              }
            }
          }
        },

        {
          "range": {
            "@timestamp": {
              "gte": "now-30d/d",
              "lte": "now"
            }
          }
        },
        {
          "term": {
            "data.win.eventdata.TargetUserName.keyword": "root"
          }
        },
        {
          "match": {
            "rule.description": "User account locked out (multiple login errors)"
          }
        }
      ]
    }
  }
}

I hope this helps

Nemo191 Nm

unread,
Mar 29, 2024, 4:43:51 AMMar 29
to Wazuh | Mailing List
Thanks for the help! I checked the operation of this code, a message appears: "No results match your search criteria
Expand your time range"

I've been setting the range for 1 year in filters in Opensearch Dashboards, I'm attaching screenshots, maybe I'm doing something wrong.
At least 3 events in 30 days occurred after 18:00.

Am I inserting the code correctly, in the window: EDIT FILTER I clicked "Edit as Query DSL", I did not insert anything in the FIELD field?
I am attaching screenshots, please take a look.
пятница, 29 марта 2024 г. в 06:59:22 UTC+3, Manuel Roldan:
000_01.jpg
003_01.jpg
001_01.jpg
002_01.jpg

Manuel Roldan

unread,
Apr 1, 2024, 9:12:54 AMApr 1
to Wazuh | Mailing List
Hi Nemo,

Everything seems right, I'll check deeper and get back to you soon.

Nemo191 Nm

unread,
Apr 1, 2024, 10:00:54 AMApr 1
to Wazuh | Mailing List
Thank you!

понедельник, 1 апреля 2024 г. в 16:12:54 UTC+3, Manuel Roldan:

Manuel Roldan

unread,
Apr 16, 2024, 11:37:12 PMApr 16
to Wazuh | Mailing List
Hi Nemo,

I'm sorry for not getting back to you sooner. I've reviewed the filter settings you mentioned. Here are a few checks you might want to perform:

  • Server Time Zone: Ensure it matches the expected time for your logs.
  • Date Range: Confirm the events are within the last 30 days.
  • User Field: Check that data.win.eventdata.TargetUserName.keyword contains "root".
  • Rule Description: Make sure it matches exactly as stored in the logs.
  • Indices: Ensure you search the correct indices where these logs are stored.
I hope these suggestions help!
Regards 

Nemo191 Nm

unread,
Apr 17, 2024, 3:08:40 AMApr 17
to Wazuh | Mailing List
Hi. Thanks for the help, but so far I haven't found any errors.

среда, 17 апреля 2024 г. в 06:37:12 UTC+3, Manuel Roldan:

Manuel Alejandro Roldan Mella

unread,
Apr 17, 2024, 11:44:43 PMApr 17
to Wazuh | Mailing List

Hi Nemo,

 To further assist you, I have a few more questions:

- Log Verification: Can you confirm if you see any relevant logs in the alerts.json file that match your criteria but are not showing up in your queries? This can help determine the issue with the query or the data itself.
- Recent Changes: Have any recent changes to the configuration or updates in Wazuh that might affect log processing?
Elasticsearch Health: Can you check Elasticsearch's health status to ensure it's functioning properly and all indices are up to date?
- Log Samples: Could you provide examples of log entries that you believe should match the query? This can help identify a mismatch in field values or configurations.

Nemo191 Nm

unread,
May 2, 2024, 9:40:57 AMMay 2
to Wazuh | Mailing List
Hello. Take a look at this. Corrected only only:
"data.win.eventdata.TargetUserName ": "Targ"
"rule.description": " Windows User Logoff ."

Does not work.

четверг, 18 апреля 2024 г. в 06:44:43 UTC+3, Manuel Alejandro Roldan Mella:
2024-05-02 16-31-23.mkv
Reply all
Reply to author
Forward
0 new messages