How do I write correlation?

[Furkan Sayım]

How can I write a correlation for Wazuh alarms?

Does anyone integrate the Sigma project into wazuh?

[Juan Carlos]

Hello Furkan,

The Wazuh analysisd daemon uses a simple resource efficient logic designed to handle the analysis of a large amount of logs while only consuming a reasonable quantity of resources.

This design enables the correlation of alerts that have a common characteristic among them that can be either: the same rule ID, group of rules, IP, source or destination port, location, user or even a dynamic field.

This can be configured by creating a composite rule, specifying a frequency and timeframe and using one of these tags to match the repeated characteristic:

• if_matched_sid
• if_matched_group
• same_id
• same_source_ip
• same_src_port
• same_dst_port
• same_location
• same_user
• same_field

As for the Sigma project, I'm not sure what you mean.

Could you please clarify so we may best help you?

Best Regards,

Juan Carlos Tello

[Furkan Sayım]

Sigma Project;

https://github.com/Neo23x0/sigma

20 Mayıs 2019 Pazartesi 10:34:59 UTC+3 tarihinde Juan Carlos yazdı:

[Cristóbal López]

Hi Furkan,

There are several ways to correlate Wazuh alerts:

- You can use if_sid in a rule to execute it only if the event that generates it matches the requirements of another rule. In the following example rule 5 will only be executed if the event matches the rule 4:

  <rule id="5" level="10">
    <if_sid>4</if_sid>
    <match>AUTHENTICATE LOGIN failure</match>
    <description>Login failed.</description>
    <group>authentication_failed</group>
  </rule>

- You can use if_matching_sid to trigger an alert if another rule has been executed several times in a time interval. In the following example, rule 5 will only be executed if rule 4 has been executed 10 times in the last 120 seconds. You can add attributes like same_source_ip to not have alerts with different IP.

  <rule id="5" level="10" frequency="10" timeframe="120">
    <if_matched_sid>4</if_matched_sid>
    <same_source_ip/>
    <match>AUTHENTICATE LOGIN failure</match>
    <description>Login failed.</description>
    <group>authentication_failed</group>
  </rule>

Is this correlation enough for your use case? If not, describe it and we can help you.

Currently Wazuh has no integration with the Sigma project. However, you can easily make an integration using Integratord. In this article you can find an example on how to do it.

Best regards,
Cristobal Lopez.

On Friday, May 17, 2019 at 3:56:17 PM UTC+2, Furkan Sayım wrote:How can I write a correlation for Wazuh alarms?

Does anyone integrate the Sigma project into wazuh?

On Friday, May 17, 2019 at 3:56:17 PM UTC+2, Furkan Sayım wrote:

[Furkan Sayım]

Thank you Cristóbal. I'il write a few rules and test them. I'd like to ask you if we have problems.

20 Mayıs 2019 Pazartesi 10:52:07 UTC+3 tarihinde Cristóbal López yazdı:

[Adrian Di]

Hi ,

Related to this information of correlation. how can I do a rule like the last one to integrate variables of each rule that use it diferents decoders. I mean, take this rule:

<rule id="100112" level="12" timeframe="10"> <if_sid>100445</if_sid> <if_matched_sid>100555</if_matched_sid> <same_dstip /> <description>Multiple authentication failures followed by a success.</description>

</rule>

rule 100445 use decoder#1 with some variables linke srcip,srcport,dstip and agent. Rule 100555 have a decoder#2 with variables dstip,dstport and action. the variable dstip is the same in both. Whith 100112 rule, I want create a description that use all the variables from decoder#1 and decoder#2. How can I do that? . The decoder#1 is a log from a waf and the decoder#2 is the log from an iis. The log on iis have the dstip of waf an not the real client , since waf hide that. So, I want to do a correlation to know the real srcip of the request on each trigger of iis.

I hope you understand the issue and my English.

Thanks.-