Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Wazuh Alerts | ✅ | ✅ | wazuh_alerts | Key Value | S3 |
Overview
Wazuh is an open-source security monitoring platform that provides log data analysis, intrusion detection, and compliance management. It helps organizations detect, analyze, and respond to security threats in real-time by collecting and processing security events from various sources, including servers, network devices, and cloud environments. Wazuh offers features like file integrity monitoring, vulnerability detection, and centralized log management, helping security teams ensure compliance with industry standards and strengthen overall security posture. It integrates with other security tools, like SIEM systems, to provide a comprehensive view of an organization’s security landscape.
Supported data types
Wazuh Alerts
Table name: wazuh_alerts
Wazuh Alert logs are essential components of the platform, offering detailed records of security alerts generated by various detection mechanisms, including log analysis, anomaly detection, and threat intelligence integration. These logs contain information about potential security incidents, including the type of alert, affected system or resource, severity level, timestamp, and relevant contextual data.
Send data to Hunters
Hunters supports the ingestion of Wazuh logs via an intermediary AWS S3 bucket.
To connect Wazuh logs:
Export your from Wazuh to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Wazuh Alerts
Hunters supports the ingestion of Wazuh Alerts in a key-value format, which you can connect on your own using the Hunters platform.
In addition, Hunters can ingest Wazuh logs in JSON format using a manual configuration process. To use this option, open an Onboard Supported Integration ticket from the Hunters Support Portal.
🚧 Note
Since this is a complex data source, make sure to adhere to the following:
Every new log must start with '**'.
Every pair of key and value must have an ':' between them and must appear in a new line (see the example below).
Key-value example
** Alert 1679319621.1291172505: - fortigate,syslog,
2017 Feb 14 12:19:06 localhost->/var/log/secure
Rule: 81633 (level 3) -> 'Fortigate: App passed by firewall.'
Src IP: 1.1.1.1
Src Port: 37392
Dst IP: 2.2.2.2
Dst Port: 443
Mar 20 13:40:20 10.17.2.68 date=2023-03-20 time=13:40:20 devname="device-name" devid="device-name" eventtime=1679319620487989456 tz="+0000" logid="1111" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=47013 srcip=1.1.1.1 dstip=2.2.2.2 srcport=37392 dstport=443 srcintf="port4" srcintfrole="dmz" dstintf="port1" dstintfrole="wan" proto=6 service="SSL" direction="incoming" policyid=41 sessionid=4444 applist="default" action="pass" appcat="Network.Service" app="SSL_TLSv1.3" hostname="www.host.de" incidentserialno=5555 url="/" msg="Network.Service: SSL_TLSv1.3," apprisk="medium" device="AWS-FW"
app: SSL_TLSv1.3
appcat: Network.Service
appid: 47013
applist: default
apprisk: medium
cat: Network.Service
direction: incoming
dstintf: port1
dstintfrole: wan
eventtime: 1679319620487989456
eventtype: signature
hostname: www.host.de
incidentserialno: 5555
ip: 1.1.1.1
level: information
logid: 1111
msg: Network.Service: SSL_TLSv1.3,
policyid: 41
proto: 6
service: SSL
sessionid: 4444
srcintf: port4
srcintfrole: dmz
subtype: app-ctrl
time: 13:40:20
type: utm
vd: root
JSON example
{
"agent": {
"id": "18559",
"ip": "1.2.3.4",
"name": "test-prod-01"
},
"cluster": {
"name": "wazuh",
"node": "wazuh-manager"
},
"data": {
"dstuser": "root"
},
"decoder": {
"name": "pam",
"parent": "pam"
},
"full_log": "Jun 12 23:59:58 test-prod-01 sudo: pam_unix(sudo:session): session closed for user root",
"id": "1718236799.207892585",
"location": "/var/log/auth.log",
"manager": {
"name": "wazuh-manager"
},
"predecoder": {
"hostname": "test-prod-01",
"program_name": "sudo",
"timestamp": "Jun 12 23:59:58"
},
"rule": {
"description": "PAM: Login session closed.",
"firedtimes": 1623,
"gdpr": [
"IV_32.2"
],
"gpg13": [
"7.8",
"7.9"
],
"groups": [
"pam",
"syslog"
],
"hipaa": [
"1.2.b"
],
"id": "5502",
"level": 3,
"mail": false,
"nist_800_53": [
"AU.14",
"AC.7"
],
"pci_dss": [
"10.2.5"
],
"tsc": [
"CC6.8",
"CC7.2",
"CC7.3"
]
},
"timestamp": "2024-06-12T23:59:59.344+0000"
}