Help on using API to get alert data

[Richard Offer]

Hi,

I’m looking to use the API to extend my reporting capabilities, but I haven’t been able to find the data in the API.

I get a daily report from wazuh that includes

Top entries for 'Rule':
------------------------------------------------
31151 - Multiple web server 400 error codes from same source ip.              |272     |
35055 - Squid: Multiple attempts to access a non-existent file.               |161     |

…

31168 - Shellshock attack detected                                            |1       |
5712 - sshd: brute force trying to get access to the system. Non existent u   |1       |

I would really like to find out which systems (agents) are reporting those issues… and those that aren’t…

I’ve spent some time going over the API docs and playing with making requests -I just am not seeing where this type of data might be available..

Is it not available yet ? Any other avenues to improve my automatic reporting ?

Thanks

Richard.

[Víctor Fernández Poyatos]

Hello Richard,

Since the Wazuh alerts are indexed, I’m afraid you will have to use the ElasticSearch API instead of the Wazuh one. This should not be any harder though.

Taking a look at the ElasticSearch API documentation, there’s the Search API, which returns hits that match the query in the request from an index. To build the request, you will need the following:

• Wazuh indexer IP
• Wazuh alerts index: wazuh-alerts*
• Elastic admin user credentials: The credentials you use to access the Wazuh dashboard. For the wazuh-docker deployment for instance, they are admin:SecretPassword.

Now, the basic request to retrieve all your alerts would be:

curl -k -u <USER>:<PASSWORD> -X GET "https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts*/_search"

Keep in mind that this API can receive several parameters to filter results. For instance, if you want to retrieve all the alerts from a certain day, taking a look at the index format from a hit in the general request (response.hits.hits[0]):

{
        "_index" : "wazuh-alerts-4.x-2022.07.04",
        "_type" : "_doc",
        "_id" : "H-v8x4EB0YHjKc-sy-p-",
        "_score" : 0.41501677,
        "_source" : {
          "syscheck" : {
            "uname_after" : "root",
            "mtime_after" : "2022-07-04T06:53:57",
            "size_after" : "0",
            "gid_after" : "0",
            "mode" : "realtime",
            "path" : "/test/testing_file",
            "sha1_after" : "da39a3ee5e6b4b0d3255bfef95601890afd80709",
            "gname_after" : "root",
            "uid_after" : "0",
            "perm_after" : "rw-r--r--",
            "event" : "added",
            "md5_after" : "d41d8cd98f00b204e9800998ecf8427e",
            "sha256_after" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
            "inode_after" : 29017
          },
          "agent" : {
            "name" : "wazuh.manager",
            "id" : "000"
          },
          "manager" : {
            "name" : "wazuh.manager"
          },

(...)

In the _index field you will be able to see the exact index the alert was stored in. Using that, you will be able to filter alerts by day. For instance, to get alerts from that day:

curl -k -u <USER>:<PASSWORD> -X GET "https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-2022.07.04/_search"

Using that in conjunction with query parameters, you can filter anything. To add more detail to the previous request, if I wanted to retrieve all the syscheck alerts from that day:

curl -k -u <USER>:<PASSWORD> -X GET "https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-2022.07.04/_search?pretty" -H 'Content-Type: application/json' -d'
{
    "query" : {
        "term" : { "rule.groups" : "syscheck" }
    }
}
'

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 0.41501677,
    "hits" : [
      {
        "_index" : "wazuh-alerts-4.x-2022.07.04",
        "_type" : "_doc",
        "_id" : "H-v8x4EB0YHjKc-sy-p-",
        "_score" : 0.41501677,
        "_source" : {
          "syscheck" : {
            "uname_after" : "root",
            "mtime_after" : "2022-07-04T06:53:57",
            "size_after" : "0",
            "gid_after" : "0",
            "mode" : "realtime",
            "path" : "/test/testing_file",
            "sha1_after" : "da39a3ee5e6b4b0d3255bfef95601890afd80709",
            "gname_after" : "root",
            "uid_after" : "0",
            "perm_after" : "rw-r--r--",
            "event" : "added",
            "md5_after" : "d41d8cd98f00b204e9800998ecf8427e",
            "sha256_after" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
            "inode_after" : 29017
          },
          "agent" : {
            "name" : "wazuh.manager",
            "id" : "000"
          },
          "manager" : {
            "name" : "wazuh.manager"
          },
          "rule" : {
            "firedtimes" : 1,
            "mail" : false,
            "level" : 5,
            "pci_dss" : [
              "11.5"
            ],
            "hipaa" : [
              "164.312.c.1",
              "164.312.c.2"
            ],
            "tsc" : [
              "PI1.4",
              "PI1.5",
              "CC6.1",
              "CC6.8",
              "CC7.2",
              "CC7.3"
            ],
            "description" : "File added to the system.",
            "groups" : [
              "ossec",
              "syscheck",
              "syscheck_entry_added",
              "syscheck_file"
            ],
            "id" : "554",
            "nist_800_53" : [
              "SI.7"
            ],
            "gpg13" : [
              "4.11"
            ],
            "gdpr" : [
              "II_5.1.f"
            ]
          },
          "decoder" : {
            "name" : "syscheck_new_entry"
          },
          "full_log" : "File '/test/testing_file' added\nMode: realtime\n",
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2022-07-04T06:53:57.230Z",
          "location" : "syscheck",
          "id" : "1656917637.239",
          "timestamp" : "2022-07-04T06:53:57.230+0000"
        }
      }
    ]
  }
}

I hope this helps! Let me know if you need anything else.

Regards,
Víctor

​