Some Mitre ID not found in database

[Khaedir Sul]

Hi, 
after upgrading my wazuh to version 4.8.0 all service are worked but top mitre not showing up in new wazuh dashboard. here are what if found in ossec.log

2024/08/01 00:47:18 wazuh-analysisd: WARNING: Mitre Technique ID 'T1021' not found in database.
2024/08/01 00:47:20 wazuh-analysisd: WARNING: Mitre Technique ID 'T1078' not found in database.
2024/08/01 00:47:20 wazuh-analysisd: WARNING: Mitre Technique ID 'T1110.001' not found in database.
2024/08/01 00:47:20 wazuh-analysisd: WARNING: Mitre Technique ID 'T1110.001' not found in database.
2024/08/01 00:47:20 wazuh-analysisd: WARNING: Mitre Technique ID 'T1021.004' not found in database.
2024/08/01 00:47:20 wazuh-analysisd: WARNING: Mitre Technique ID 'T1110.001' not found in database.
2024/08/01 00:47:22 wazuh-analysisd: WARNING: Mitre Technique ID 'T1110.001' not found in database.
2024/08/01 00:47:22 wazuh-analysisd: WARNING: Mitre Technique ID 'T1021.004' not found in database.
2024/08/01 00:47:22 wazuh-analysisd: WARNING: Mitre Technique ID 'T1110.001' not found in database.
2024/08/01 00:47:22 wazuh-analysisd: WARNING: Mitre Technique ID 'T1021.004' not found in database.

[Eric Franco Fahnle]

Hi Khaedir Sul! Hope you're doing great.

Let me investigate a little bit and I''ll come back to you.

Regards,

Eric

[Eric Franco Fahnle]

Hi, could you share a litttle more information so that we can better troubleshoot the problem?

1. Check Mitre ATT&CK data feed updates: make sure that the data feed containing Mitre ATT&CK information has been updated after the Wazuh upgrade. Run the following command to update the database:
sudo /var/ossec/bin/wazuh-db update
This command will update the Wazuh database with the latest Mitre ATT&CK information.
2. Restart Wazuh services: after updating the database, restart the Wazuh services to apply the changes.
sudo systemctl restart wazuh-manager
sudo systemctl restart wazuh-api

3. Verify the existence and permissions of the database file:
ls -l /var/ossec/var/db/mitre.db

Thanks,

Eric

[Khaedir Sul]

Hi,
I still can't find how to solve this problem.
Thanks

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/vwYih_7oIUk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a9bd356a-a80f-4d40-ac4c-38812f5315e5n%40googlegroups.com.

[Eric Franco Fahnle]

Hi, could you please provide the info I sent in my previous email?

1. Check Mitre ATT&CK data feed updates: make sure that the data feed containing Mitre ATT&CK information has been updated after the Wazuh upgrade. Run the following command to update the database:
sudo /var/ossec/bin/wazuh-db update
This command will update the Wazuh database with the latest Mitre ATT&CK information.
2. Restart Wazuh services: after updating the database, restart the Wazuh services to apply the changes.
sudo systemctl restart wazuh-manager
sudo systemctl restart wazuh-api
3. Verify the existence and permissions of the database file:
ls -l /var/ossec/var/db/mitre.db

Thanks

[Khaedir Sul]

Hi,
1. i have updated wazuh-db
2. wazuh-manager restarted
3. 
root@my-siem:~# ls -l /var/ossec/var/db/mitre.db
-rw-rw---- 1 root wazuh 14725120 Jul 17 21:37 /var/ossec/var/db/mitre.db

but its no fixed the issue
2024/08/12 23:46:52 wazuh-analysisd: ERROR: dbsync: Cannot communicate with database.
2024/08/12 23:46:56 wazuh-analysisd: WARNING: Mitre Technique ID 'T1110.001' not found in database.
2024/08/12 23:46:56 wazuh-analysisd: WARNING: Mitre Technique ID 'T1021.004' not found in database.
2024/08/12 23:46:56 wazuh-analysisd: WARNING: Mitre Technique ID 'T1110.001' not found in database.
2024/08/12 23:46:56 wazuh-analysisd: WARNING: Mitre Technique ID 'T1021.004' not found in database.

Thanks

[Jorge Eduardo Molas]

Hi Khaedir, sorry for the delay.

According to your analysisd logs "ERROR: dbsync: Cannot communicate with database.", could you provide information about the versions of wazuh your agents (endpoints) have?

Please hide sensitive information.

https://documentation.wazuh.com/current/user-manual/agent/agent-management/listing/index.html

Thanks!

Regars!

[Khaedir Sul]

Hi,
here is my agent version, For you information i have reinstall my server as well as reinstall all the wazuh components but still got the same error.

Wazuh agent_control. Agent information:

Agent ID: 002

Agent Name: testing-web-server

IP address: any

Status: Active

Operating system: Linux |webserver |5.10.0-31-amd64 |#1 SMP Debian 5.10.221-1 (2024-07-14) |x86_64

Client version: Wazuh v4.8.1

Configuration hash: 4afee2c4d7a98b7790947193ea4397ee

Shared file hash: 612c557d0582bfc113ea6204d762709a

Last keep alive: 1723820968

Syscheck last started at: Fri Aug 16 15:03:29 2024

Syscheck last ended at: Fri Aug 16 15:03:47 2024

How to reproduce
1. install wazuh components with latest version (4.8)
2. add agent
3. monitor on the ossec.log

[Khaedir Sul]

I also add mitre page in dashboard, why all data is 0?
thank you

[Jorge Eduardo Molas]

Hi Khaedir, thanks for your response.

In the first post, you mentioned that after migrating to 4.8.0, are you referring to the fact that you upgraded from a lower version? In this new post, what steps did you take to install a Wazuh 4.8.0 server (not via upgrade) and then add an agent in 4.8.1?
Note that compatibility between an agent and the server is ensured when the server has a version later than the agent.

Can you upgrade to 4.8.1 on both the Server and the Agent in this test?Regarding the dashboard in the Framework tab,  it is not showing data because it does not receive events or exists regarding these techniques.
I am attaching a Wazuh without contacted agents (that is, without having events) which looks the same.
Let me know! 
Regards!

[Khaedir Sul]

Hi I already solved the issue. somehow my vm server not supporting wazuh, i have no idea what the problem was. i have reinstalled wazuh components couple of time and still has the same problem. then i decided to install wazuh on my local computer the problem didn't happen anymore the mitre has been shown up. 
note: i'm using local cloud provider in my country for my vm. later i'll try to migrate the wazuh to digitalocean. 

[Jorge Eduardo Molas]

Hi Khaedir! I'm glad to hear that! I'm interested in replicating this issue. If you can give me some information, I would be glad to help other users.

• Host (VM) version
• Wazuh Server final version (kind of deployment, all in one?)
•  Agent OS and Wazuh version. 

Regards!

[heritri]

Are you using idcloudhost? I have same issue like yours.

[Khaedir Sul]

Hi Heritri
Yes correct i was using idcloudhost.