How do I get filtered events? And save the report.
165 views
Skip to first unread message
Nemo191 Nm
Mar 21, 2024, 6:09:30 AM3/21/24
to Wazuh | Mailing List
Hi! Help! It is necessary to filter events by condition: from 1.01.2024 to 03/19/2024 for the event "User account is blocked (multiple login errors)" in the range from 18:00 to 20:00 and for the user "root". How to do it?
Sebastian Falcone
Mar 21, 2024, 8:10:36 AM3/21/24
to Wazuh | Mailing List
Hello, you are referring to the dashboard view?
Sebastian Falcone
Mar 22, 2024, 8:31:49 AM3/22/24
to Wazuh | Mailing List
Hello to meet your requirements:
From 1.01.2024 to 03/19/2024
1. Add a new filter
2. Select the @timestamp field
3. Select the "is between" operator
4. Set the lower bound (01/01/2024 )
5. Set the upper bound ( 03/19/2024)
For the user "root:
1. Add a new filter
2. Select the data.srcuser field
3. Select the "is" operator
4. Set the value "root"
For the event "User account is blocked (multiple login errors)" :
In this case, there must be a rule associated with the alert. I would suggest using the rule ID
1. Add a new filter
2. Select the rule.id field
3. Select the "is" operator
4. Set the value to the rule you want to filter
From 18:00 to 20:00:
This one is more tricky I've didn't found how to add this without compromising the @timestamp filter
From 1.01.2024 to 03/19/2024
1. Add a new filter
2. Select the @timestamp field
3. Select the "is between" operator
4. Set the lower bound (01/01/2024 )
5. Set the upper bound ( 03/19/2024)
For the user "root:
1. Add a new filter
2. Select the data.srcuser field
3. Select the "is" operator
4. Set the value "root"
For the event "User account is blocked (multiple login errors)" :
In this case, there must be a rule associated with the alert. I would suggest using the rule ID
1. Add a new filter
2. Select the rule.id field
3. Select the "is" operator
4. Set the value to the rule you want to filter
From 18:00 to 20:00:
This one is more tricky I've didn't found how to add this without compromising the @timestamp filter
Nemo191 Nm
Mar 22, 2024, 9:29:03 AM3/22/24
to Wazuh | Mailing List
Thanks for the help. I did that too. There is a problem with the time range from 18:00 to 20:00. It hasn't worked out yet.
пятница, 22 марта 2024 г. в 15:31:49 UTC+3, Sebastian Falcone:
Sebastian Falcone
Mar 25, 2024, 3:23:04 AM3/25/24
to Wazuh | Mailing List
I didn't found a way to filter by the hour, because the field has to be a full timestamp (day, month and year included)
Nemo191 Nm
Mar 25, 2024, 8:02:59 AM3/25/24
to Wazuh | Mailing List
Thanks for the help, I asked here on the forum, I was offered an option via DQL, but it doesn't work yet:
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now"
}
}
},
{
"term": {
"data.win.eventdata.TargetUserName.keyword": "root"
}
},
{
"match": {
"rule.description": "User account locked out (multiple login errors)"
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-30d/d",
"lte": "now"
}
}
},
{
"term": {
"data.win.eventdata.TargetUserName.keyword": "root"
}
},
{
"match": {
"rule.description": "User account locked out (multiple login errors)"
},
"timeframe": {
"from": "18:00:00",
"to": "20:00:00"
}
}
"timeframe": {
"from": "18:00:00",
"to": "20:00:00"
}
}
]
}
}
}
}
}
}
понедельник, 25 марта 2024 г. в 10:23:04 UTC+3, Sebastian Falcone:
Sebastian Falcone
Apr 2, 2024, 4:04:34 AM4/2/24
to Wazuh | Mailing List
From what I know, is not possible to filter partial parts of the timestamp. So It won't be possible to filter to the hour, just the day range
Nemo191 Nm
Apr 3, 2024, 4:42:17 AM4/3/24
to Wazuh | Mailing List
It's clear. Thanks for the help.
вторник, 2 апреля 2024 г. в 11:04:34 UTC+3, Sebastian Falcone:
Sebastian Falcone
Apr 5, 2024, 6:18:53 AM4/5/24
to Wazuh | Mailing List
You're welcome!
Don't hesitate on asking again if new issues arise
Don't hesitate on asking again if new issues arise
Reply all
Reply to author
Forward
0 new messages