Anomaly Detection / Alerting
881 views
Skip to first unread message
Paul O'Shea
May 31, 2022, 6:11:05 AM5/31/22
to Wazuh mailing list
Hi,
We have a 4.3 cluster running and I am struggling to figure out exactly how to have the system alert for an anomaly such as, say, a high number of failed login attempts.
I believe I've created a detector for the relevant rule id, but I don't understand how to get it to alert when the detector goes over as set value.
Any guidance would be really welcome.
Thanks
Paul.
elw...@wazuh.com
May 31, 2022, 8:52:15 AM5/31/22
to Wazuh mailing list
Hello Paul,
The described use case can be implemented using Wazuh rules and as an example the Windows rule https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0580-win-security_rules.xml#L1070 :
<rule id="60204" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<options>no_full_log</options>
<description>Multiple Windows logon failures.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
It is using the attributes frequency and timeframe (https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule) to implement the correlation.
On the other hand, the Anomaly detection module (https://opensearch.org/docs/latest/monitoring-plugins/ad/index/) works separately and does not trigger an alert into Wazuh indices but in its own dashboard as shown below:
.png?part=0.2&view=1)
I have defined a simple detector that would trigger an alert (in the anomaly detection dashboard) whenever the root user is detected twice in a frame time of 2 mins:
.png?part=0.1&view=1)
Hope this helps.
Regards,
Wali
The described use case can be implemented using Wazuh rules and as an example the Windows rule https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0580-win-security_rules.xml#L1070 :
<rule id="60204" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<options>no_full_log</options>
<description>Multiple Windows logon failures.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
It is using the attributes frequency and timeframe (https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule) to implement the correlation.
On the other hand, the Anomaly detection module (https://opensearch.org/docs/latest/monitoring-plugins/ad/index/) works separately and does not trigger an alert into Wazuh indices but in its own dashboard as shown below:
I have defined a simple detector that would trigger an alert (in the anomaly detection dashboard) whenever the root user is detected twice in a frame time of 2 mins:
Hope this helps.
Regards,
Wali
Elwali Karkoub
Jun 3, 2022, 4:34:24 AM6/3/22
to wa...@googlegroups.com
---------- Forwarded message ---------
From: Paul O'Shea <tekn...@gmail.com>
Date: Thu, Jun 2, 2022 at 12:43 PM
Subject: Private message regarding: Anomaly Detection / Alerting
To: elw...@wazuh.com <elw...@wazuh.com>
From: Paul O'Shea <tekn...@gmail.com>
Date: Thu, Jun 2, 2022 at 12:43 PM
Subject: Private message regarding: Anomaly Detection / Alerting
To: elw...@wazuh.com <elw...@wazuh.com>
Hi Wali,
Thank you for the information.
Perhaps I am missing something on the Anomaly Detection, but how does the example you have below know that there was an anomaly specifically on the Sudo login during the time frame. I cant see any configuration that tells the detector to look for that specific data?
Regards
Paul.
elw...@wazuh.com
Jun 3, 2022, 4:39:10 AM6/3/22
to Wazuh mailing list
hello Paul,
I have defined it to be detected as an anomaly whenever there is `data.dstuer` is root more than once in timeframe of 10 mins, the configuration is the following:
.png?part=0.1&view=1)
.png?part=0.2&view=1)
Please make sure to use reply to all so that the whole community can benefit from the converstation.
I hope this helps.
Regards,
Wali
I have defined it to be detected as an anomaly whenever there is `data.dstuer` is root more than once in timeframe of 10 mins, the configuration is the following:
Please make sure to use reply to all so that the whole community can benefit from the converstation.
I hope this helps.
Regards,
Wali
Paul O'Shea
Jun 3, 2022, 6:25:53 AM6/3/22
to Wazuh mailing list
Hi Wali,
Ok thanks for the update, I think I have a detector working now and will leave it "learn" over the next few days.
Thanks for your help.
Kind Regards
Paul.
elw...@wazuh.com
Jun 3, 2022, 8:04:22 AM6/3/22
to Wazuh mailing list
Hello Paul,
Awesome and you're welcome.
Do not hesitate to reach out to us whenever you need assistance.
Regards,
Wali
Awesome and you're welcome.
Do not hesitate to reach out to us whenever you need assistance.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages