Hi Wazuh Team
I have an event as follows in security Event
I want to add a field called Client IP, how can I do that?
{
"_index": "wazuh-alerts-4.x-2024.04.16",
"_id": "x0xq5o4Bth_0QFEHmZPf",
"_version": 1,
"_score": null,
"_source": {
"cluster": {
"node": "wazuhserverworker",
"name": "wazuh"
},
"input": {
"type": "log"
},
"agent": {
"ip": "10.10.10.10",
"name": "XXXXX-HOST",
"id": "009"
},
"manager": {
"name": "wazuhserverworker"
},
"data": {
"win": {
"eventdata": {
"data": "sa, Reason: Password did not match that for the login provided., [CLIENT: 118.118.118.118]",
"binary": "184800000E0000000D000000530051004C0032003000310036002D0048004F00530054000000070000006D00610073007400650072000000"
},
"system": {
"eventRecordID": "111936843",
"eventID": "18456",
"computer": "XXXXX-HOST.XXXXXX",
"task": "4",
"keywords": "0x90000000000000",
"level": "0",
"severityValue": "AUDIT_FAILURE",
"channel": "Application",
"message": "\"Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT:
118.118.118.118 ]\"",
"systemTime": "2024-04-16T10:18:48.122741800Z",
"providerName": "XXXXXSERVER"
"Client IP": "118.118.118.118"
}
}
},
"rule": {
"firedtimes": 5710,
"mail": false,
"level": 5,
"hipaa": [
"164.312.b"
],
"pci_dss": [
"10.2.4",
"10.2.5"
],
"tsc": [
"CC6.1",
"CC6.8",
"CC7.2",
"CC7.3"
],
"description": "MS SQL server logon failure.",
"groups": [
"windows",
"windows_application",
"authentication_failed"
],
"id": "61071",
"nist_800_53": [
"AC.7",
"AU.14"
],
"gdpr": [
"IV_32.2",
"IV_35.7.d"
],
"gpg13": [
"7.1"
]
},
"location": "EventChannel",
"decoder": {
"name": "windows_eventchannel"
},
"id": "1713262728.483813893",
"timestamp": "2024-04-16T10:18:48.218+0000"
},
"fields": {
"timestamp": [
"2024-04-16T10:18:48.218Z"
]
},
"highlight": {
"cluster.name": [
"@opensearch-dashboards-highlighted-field@wazuh@/opensearch-dashboards-highlighted-field@"
],
"rule.groups": [
"@opensearch-dashboards-highlighted-field@authentication_failed@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
1713262728218
]
}
Thank For Team