From ca263afaa1b228aa6a74c950e79893ef459f5473 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 11 Jun 2024 12:14:04 +0200 Subject: [PATCH] Add Splunk integration (#257) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add Splunk integration Draft * Fix certificate errors * Add cfssl container to generate and sign splunk certs * Add cfssl configuration fiels * Update Splunk integration --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux --- integrations/.gitignore | 4 +- integrations/docker/splunk.yml | 143 +++++++++ integrations/splunk/README.md | 49 +++ integrations/splunk/cfssl/ca.json | 15 + integrations/splunk/cfssl/cfssl.json | 58 ++++ integrations/splunk/cfssl/host.json | 19 ++ integrations/splunk/config/default.yml | 25 ++ integrations/splunk/config/indexes.conf | 11 + .../logstash/pipeline/indexer-to-splunk.conf | 31 ++ integrations/splunk/logstash/setup.sh | 10 + integrations/splunk/wazuh-amazon-aws | 136 ++++++++ integrations/splunk/wazuh-docker-listener | 130 ++++++++ integrations/splunk/wazuh-incident-response | 135 ++++++++ integrations/splunk/wazuh-malware-detection | 136 ++++++++ integrations/splunk/wazuh-pci-dss | 136 ++++++++ integrations/splunk/wazuh-security-events | 296 ++++++++++++++++++ integrations/splunk/wazuh-vulnerabilities | 261 +++++++++++++++ 17 files changed, 1592 insertions(+), 3 deletions(-) create mode 100644 integrations/docker/splunk.yml create mode 100644 integrations/splunk/README.md create mode 100644 integrations/splunk/cfssl/ca.json create mode 100644 integrations/splunk/cfssl/cfssl.json create mode 100644 integrations/splunk/cfssl/host.json create mode 100644 integrations/splunk/config/default.yml create mode 100644 integrations/splunk/config/indexes.conf create mode 100644 integrations/splunk/logstash/pipeline/indexer-to-splunk.conf create mode 100644 integrations/splunk/logstash/setup.sh create mode 100644 integrations/splunk/wazuh-amazon-aws create mode 100644 integrations/splunk/wazuh-docker-listener create mode 100644 integrations/splunk/wazuh-incident-response create mode 100644 integrations/splunk/wazuh-malware-detection create mode 100644 integrations/splunk/wazuh-pci-dss create mode 100644 integrations/splunk/wazuh-security-events create mode 100644 integrations/splunk/wazuh-vulnerabilities diff --git a/integrations/.gitignore b/integrations/.gitignore index 1edb6d3c10c60..a9728d8767e3a 100644 --- a/integrations/.gitignore +++ b/integrations/.gitignore @@ -1,4 +1,2 @@ -splunk -common -config +external docker/certs \ No newline at end of file diff --git a/integrations/docker/splunk.yml b/integrations/docker/splunk.yml new file mode 100644 index 0000000000000..91d4f346cca81 --- /dev/null +++ b/integrations/docker/splunk.yml @@ -0,0 +1,143 @@ +name: "splunk-integration" + +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -a wazuh.indexer" + + wazuh.indexer: + image: opensearchproject/opensearch:2.12.0 + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + - node.name=wazuh.indexer + - discovery.type=single-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh.dashboard: + image: opensearchproject/opensearch-dashboards:2.12.0 + depends_on: + - wazuh.indexer + hostname: wazuh.dashboard + ports: + - 5601:5601 # Map host port 5601 to container port 5601 + expose: + - "5601" # Expose port 5601 for web access to OpenSearch Dashboards + environment: + OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:0.0.1 + hostname: wazuh-certs-generator + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + + + # ================================= + # Splunk and Logstash + # ================================= + + generator: + image: cfssl/cfssl + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + volumes: + - ./certs/:/certs/ + - ../splunk/cfssl/:/conf/ + entrypoint: /bin/bash + command: > + -c ' + cd /certs + cat /conf/host.json | \ + cfssl gencert \ + -ca root-ca.pem \ + -ca-key root-ca.key \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare splunk + openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key + rm splunk.csr + cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem + chown -R 1000:1000 /certs/splunk* + ' + + splunk: + image: splunk/splunk:9.0.4 + volumes: + - ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key + - ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem + - ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem + - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf + - ../splunk/config/default.yml:/tmp/defaults/default.yml + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + generator: + condition: service_completed_successfully + ports: + - '8000:8000' + - '8088:8088' + environment: + SPLUNK_HEC_TOKEN: "abcd1234" + SPLUNK_HOSTNAME: splunk + SPLUNK_HTTP_ENABLESSL: 'true' + SPLUNK_PASSWORD: Password.1234 + SPLUNK_STANDALONE_URL: https://splunk:8080 + SPLUNK_START_ARGS: --accept-license + + logstash: + depends_on: + splunk: + condition: service_healthy + image: logstash-oss:8.6.2 + build: + context: ../splunk + environment: + LOG_LEVEL: info + MONITORING_ENABLED: false + volumes: + - ../splunk/logstash/pipeline:/usr/share/logstash/pipeline + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + command: logstash -f /usr/share/logstash/pipeline/indexer-to-splunk.conf + +volumes: + data: diff --git a/integrations/splunk/README.md b/integrations/splunk/README.md new file mode 100644 index 0000000000000..203ea83457114 --- /dev/null +++ b/integrations/splunk/README.md @@ -0,0 +1,49 @@ +# Wazuh to Splunk Integration Developer Guide + +This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and Splunk. For a detailed guide on how to integrate Wazuh with Splunk, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/splunk/index.html). + +## Requirements + +- Docker and Docker Compose installed. + +## Usage + +1. Clone the Wazuh repository and navigate to the `integrations/` folder. +2. Run the following command to start the environment: + ```bash + docker compose -f ./docker/splunk.yml up -d + ``` + +The Docker Compose project will bring up the following services: + +- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). +- 1x Wazuh Indexer (OpenSearch). +- 1x Wazuh Dashboards (OpenSearch Dashboards). +- 1x Logstash +- 1x Splunk + +For custom configurations, you may need to modify these files: + +- [docker/splunk.yml](../docker/splunk.yml): Docker Compose file. +- [docker/.env](../docker/.env): Environment variables file. +- [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file. + +Check the files above for **credentials**, ports, and other configurations. + +| Service | Address | Credentials | +| ---------------- | ---------------------- | ------------------- | +| Wazuh Indexer | https://localhost:9200 | admin:admin | +| Wazuh Dashboards | https://localhost:5601 | admin:admin | +| Splunk | https://localhost:8000 | admin:Password.1234 | + +## Importing the dashboards + +The dashboards for Splunk are included in this folder. The steps to import them to Splunk are the following: + +- In the Splunk UI, go to `Settings` > `Data Inputs` > `HTTP Event Collector` and make sure that the `hec` token is enabled and uses the `wazuh-alerts` index. +- Open a dashboard file and copy all its content. +- In the Splunk UI, navigate to `Search & Reporting`, `Dashboards`, click `Create New Dashboard`, write the title and select `Dashboard Studio`, select `Grid` and click on `Create`. +- On the top menu, there is a `Source` icon. Click on it, and replace all the content with the copied content from the dashboard file. After that, click on `Back` and click on `Save`. +- Repeat the steps for all the desired dashboards. + +Imported dashboards will appear under `Search & Reporting` > `Dashboards`. diff --git a/integrations/splunk/cfssl/ca.json b/integrations/splunk/cfssl/ca.json new file mode 100644 index 0000000000000..8a96a70a42c42 --- /dev/null +++ b/integrations/splunk/cfssl/ca.json @@ -0,0 +1,15 @@ +{ + "CN": "Wazuh", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "San Francisco", + "O": "Wazuh", + "OU": "Wazuh Root CA" + } + ] +} diff --git a/integrations/splunk/cfssl/cfssl.json b/integrations/splunk/cfssl/cfssl.json new file mode 100644 index 0000000000000..d23daf762100e --- /dev/null +++ b/integrations/splunk/cfssl/cfssl.json @@ -0,0 +1,58 @@ +{ + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "intermediate_ca": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "cert sign", + "crl sign", + "server auth", + "client auth" + ], + "expiry": "8760h", + "ca_constraint": { + "is_ca": true, + "max_path_len": 0, + "max_path_len_zero": true + } + }, + "peer": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth", + "server auth" + ], + "expiry": "8760h" + }, + "server": { + "usages": [ + "signing", + "digital signing", + "key encipherment", + "data encipherment", + "server auth" + ], + "expiry": "8760h" + }, + "client": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth" + ], + "expiry": "8760h" + } + } + } +} + diff --git a/integrations/splunk/cfssl/host.json b/integrations/splunk/cfssl/host.json new file mode 100644 index 0000000000000..e1d3cd064b842 --- /dev/null +++ b/integrations/splunk/cfssl/host.json @@ -0,0 +1,19 @@ +{ + "CN": "splunk", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "California", + "O": "Wazuh", + "OU": "Wazuh" + } + ], + "hosts": [ + "splunk", + "localhost" + ] +} diff --git a/integrations/splunk/config/default.yml b/integrations/splunk/config/default.yml new file mode 100644 index 0000000000000..e9e0637d69a60 --- /dev/null +++ b/integrations/splunk/config/default.yml @@ -0,0 +1,25 @@ +splunk: + conf: + - key: web + value: + directory: /opt/splunk/etc/system/local + content: + settings: + enablesSplunkWebSSL: true + privKeyPath: /opt/splunk/etc/auth/custom/splunk.key + serverCert: /opt/splunk/etc/auth/custom/splunk.pem + - key: server + value: + directory: /opt/splunk/etc/system/local + content: + general: + serverName: splunk + pass4SymmKey: dadqaBZA2fzxHOvfdlSQpKjIooupehTnmjysUx7j+bP1/NucBL+rch/Kw== + sslConfig: + serverCert: /opt/splunk/etc/auth/custom/splunkhec.pem + hec: + enable: True + ssl: True + port: 8088 + # hec.token is used only for ingestion (receiving Splunk events) + token: abcd1234 diff --git a/integrations/splunk/config/indexes.conf b/integrations/splunk/config/indexes.conf new file mode 100644 index 0000000000000..81fe23e9e9515 --- /dev/null +++ b/integrations/splunk/config/indexes.conf @@ -0,0 +1,11 @@ +[default] +[wazuh-alerts] +coldPath = $SPLUNK_DB/wazuh/colddb +enableDataIntegrityControl = 1 +enableTsidxReduction = 1 +homePath = $SPLUNK_DB/wazuh/db +maxTotalDataSizeMB = 512000 +thawedPath = $SPLUNK_DB/wazuh/thaweddb +timePeriodInSecBeforeTsidxReduction = 15552000 +tsidxReductionCheckPeriodInSec = + diff --git a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf new file mode 100644 index 0000000000000..fe6042f4c4e0c --- /dev/null +++ b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf @@ -0,0 +1,31 @@ +input { + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + schedule => "* * * * *" + } +} + + +output { + http { + format => "json" + http_method => "post" + url => "https://splunk:8088/services/collector/raw" + headers => ["Authorization", "Splunk abcd1234"] + cacert => "/usr/share/logstash/root-ca.pem" + } +} diff --git a/integrations/splunk/logstash/setup.sh b/integrations/splunk/logstash/setup.sh new file mode 100644 index 0000000000000..4852d27efd5e1 --- /dev/null +++ b/integrations/splunk/logstash/setup.sh @@ -0,0 +1,10 @@ +#!/usr/bin/bash + +# This script creates and configures a keystore for Logstash to store +# indexer's credentials. NOTE: works only for dockerized logstash. +# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html + +# Create keystore +/usr/share/logstash/bin/logstash-keystore create +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/splunk/wazuh-amazon-aws b/integrations/splunk/wazuh-amazon-aws new file mode 100644 index 0000000000000..84cd253410bb2 --- /dev/null +++ b/integrations/splunk/wazuh-amazon-aws @@ -0,0 +1,136 @@ +{ + "visualizations": { + "viz_lTJLU7ar": { + "type": "splunk.area", + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count", + "legendDisplay": "left" + }, + "dataSources": { + "primary": "ds_BHh1kZmb" + }, + "title": "Events by source over time" + }, + "viz_l5qazB46": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_Y2J0psR4" + }, + "title": "Sources" + }, + "viz_1JzeNwnq": { + "type": "splunk.table", + "title": "Events", + "dataSources": { + "primary": "ds_K2y81pak" + } + } + }, + "dataSources": { + "ds_BHh1kZmb": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | timechart count by \"data.aws.source\"" + }, + "name": "Search_1" + }, + "ds_Y2J0psR4": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | chart count by \"data.aws.source\"" + }, + "name": "Search_2" + }, + "ds_K2y81pak": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.aws.source\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.aws.source, rule.description, rule.level, rule.id" + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_lTJLU7ar", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 795, + "h": 334 + } + }, + { + "item": "viz_1JzeNwnq", + "type": "block", + "position": { + "x": 0, + "y": 334, + "w": 1200, + "h": 358 + } + }, + { + "item": "viz_l5qazB46", + "type": "block", + "position": { + "x": 795, + "y": 0, + "w": 405, + "h": 334 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-amazon-aws-v1.0" +} diff --git a/integrations/splunk/wazuh-docker-listener b/integrations/splunk/wazuh-docker-listener new file mode 100644 index 0000000000000..756d9145b8875 --- /dev/null +++ b/integrations/splunk/wazuh-docker-listener @@ -0,0 +1,130 @@ +{ + "visualizations": { + "viz_OcJb59wC": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_5TEzCbIf" + }, + "title": "Top 5 events" + }, + "viz_bQPbbrvw": { + "type": "splunk.column", + "title": "Events by source over time", + "dataSources": { + "primary": "ds_l6nQN96B" + }, + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + } + }, + "viz_7GGKwL33": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_gW45zmr5" + }, + "title": "Events" + } + }, + "dataSources": { + "ds_5TEzCbIf": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | top limit=5 data.docker.Action | chart count by data.docker.Action", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_1" + }, + "ds_l6nQN96B": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.docker.Type useother=false usenull=false\n", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_2" + }, + "ds_gW45zmr5": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.docker.Type\"=\"*\", \"data.docker.Actor.ID\"=\"*\", \"data.docker.Action\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.docker.Type, data.docker.Actor.ID, data.docker.Action, rule.description, rule.level, rule.id", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-24h@h,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_OcJb59wC", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 415, + "h": 316 + } + }, + { + "item": "viz_7GGKwL33", + "type": "block", + "position": { + "x": 0, + "y": 316, + "w": 1200, + "h": 378 + } + }, + { + "item": "viz_bQPbbrvw", + "type": "block", + "position": { + "x": 415, + "y": 0, + "w": 785, + "h": 316 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-docker-listener-v1.0" +} diff --git a/integrations/splunk/wazuh-incident-response b/integrations/splunk/wazuh-incident-response new file mode 100644 index 0000000000000..7b9f20005ff08 --- /dev/null +++ b/integrations/splunk/wazuh-incident-response @@ -0,0 +1,135 @@ +{ + "visualizations": { + "viz_bRMOrrNo": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_T5OG9qjO" + }, + "title": "Alert groups" + }, + "viz_iOvmhhgU": { + "type": "splunk.table", + "options": {}, + "dataSources": { + "primary": "ds_tnYl87gQ" + } + }, + "viz_P0bNNVfw": { + "type": "splunk.column", + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_GccX6Lrj" + }, + "title": "Events" + } + }, + "dataSources": { + "ds_T5OG9qjO": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"*\" | top limit=5 \"rule.groups{}\" | chart count by \"rule.groups{}\" useother=false usenull=false", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_tnYl87gQ": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.groups{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.groups{}, rule.description, rule.level, rule.id", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_GccX6Lrj": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"audit\" | timechart count by \"rule.groups{}\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_bRMOrrNo", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 388, + "h": 292 + } + }, + { + "item": "viz_iOvmhhgU", + "type": "block", + "position": { + "x": 0, + "y": 292, + "w": 1200, + "h": 399 + } + }, + { + "item": "viz_P0bNNVfw", + "type": "block", + "position": { + "x": 388, + "y": 0, + "w": 812, + "h": 292 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-incident-response-v1.0" +} diff --git a/integrations/splunk/wazuh-malware-detection b/integrations/splunk/wazuh-malware-detection new file mode 100644 index 0000000000000..620e8bbb37116 --- /dev/null +++ b/integrations/splunk/wazuh-malware-detection @@ -0,0 +1,136 @@ +{ + "visualizations": { + "viz_Q5GQT6h2": { + "type": "splunk.area", + "dataSources": { + "primary": "ds_N3cdEic4" + }, + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "title": "Emotet malware activity" + }, + "viz_U8vFKyUp": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_f5AJxLS5" + }, + "title": "Security alerts" + }, + "viz_uLQLGVbg": { + "type": "splunk.line", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_IcWLWjPn" + }, + "title": "Rootkits activity over time" + } + }, + "dataSources": { + "ds_N3cdEic4": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"rootcheck\" | timechart count by \"rule.groups{}\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_f5AJxLS5": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.mitre.technique{}\"=\"*\", \"rule.mitre.tactic{}\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\", \"rule.description\"=\"*\" | table _time, agent.name, rule.mitre.technique{}, rule.mitre.tactic{}, rule.level, rule.id, rule.description\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_IcWLWjPn": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.title useother=false usenull=false\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_Q5GQT6h2", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 458, + "h": 293 + } + }, + { + "item": "viz_U8vFKyUp", + "type": "block", + "position": { + "x": 0, + "y": 293, + "w": 1200, + "h": 381 + } + }, + { + "item": "viz_uLQLGVbg", + "type": "block", + "position": { + "x": 458, + "y": 0, + "w": 742, + "h": 293 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-malware-detection-v1.0" +} diff --git a/integrations/splunk/wazuh-pci-dss b/integrations/splunk/wazuh-pci-dss new file mode 100644 index 0000000000000..681acc9193b81 --- /dev/null +++ b/integrations/splunk/wazuh-pci-dss @@ -0,0 +1,136 @@ +{ + "visualizations": { + "viz_9NIbkgTo": { + "type": "splunk.bubble", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_g3vSgFS7" + }, + "title": "PCI DSS requirements" + }, + "viz_Z6CAbCjJ": { + "type": "splunk.column", + "options": { + "stackMode": "stacked", + "yAxisTitleText": "count", + "xAxisTitleText": "requirements" + }, + "dataSources": { + "primary": "ds_lljKZIBi" + }, + "title": "Requirements by agent" + }, + "viz_AtTGNj0f": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_9ABDZ4aq" + }, + "title": "Recent events" + } + }, + "dataSources": { + "ds_g3vSgFS7": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.pci_dss{}\"=\"*\" | timechart count by \"rule.pci_dss{}\"\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_lljKZIBi": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\" | chart count by \"rule.pci_dss{}\", \"agent.name\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_9ABDZ4aq": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.pci_dss{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.pci_dss{}, rule.description, rule.level, rule.id", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_9NIbkgTo", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 629, + "h": 400 + } + }, + { + "item": "viz_AtTGNj0f", + "type": "block", + "position": { + "x": 0, + "y": 400, + "w": 1200, + "h": 291 + } + }, + { + "item": "viz_Z6CAbCjJ", + "type": "block", + "position": { + "x": 629, + "y": 0, + "w": 571, + "h": 400 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-pci-dss-v1.0" +} \ No newline at end of file diff --git a/integrations/splunk/wazuh-security-events b/integrations/splunk/wazuh-security-events new file mode 100644 index 0000000000000..7d5d033ab0bec --- /dev/null +++ b/integrations/splunk/wazuh-security-events @@ -0,0 +1,296 @@ +{ + "visualizations": { + "viz_oAPKLE0R": { + "type": "splunk.column", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "Count", + "stackMode": "stacked" + }, + "dataSources": { + "primary": "ds_TdanKF0I" + }, + "showProgressBar": false, + "showLastUpdated": false, + "title": "Alerts evolution - Top 5 agents", + "description": "" + }, + "viz_Y07WmZ1b": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_ut2DiVW9" + }, + "title": "Security alerts", + "description": "" + }, + "viz_DI7fpctI": { + "type": "splunk.pie", + "dataSources": { + "primary": "ds_EmDJmxMO" + }, + "showProgressBar": false, + "showLastUpdated": false, + "title": "Top Mitre ATT&K tactics" + }, + "viz_qYCIuSjF": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#0258a1", + "trendColor": "#000000" + }, + "dataSources": { + "primary": "ds_d9cN1Qn9" + }, + "title": "Total" + }, + "viz_aTlMnG7A": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#db566f" + }, + "dataSources": { + "primary": "ds_ZPT4uVoe" + }, + "title": "Level 12 or above alerts" + }, + "viz_R8LMR6U6": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#bf0561" + }, + "dataSources": { + "primary": "ds_d8m0U7Ph" + }, + "title": "Authentication failure" + }, + "viz_nDMI4ZGW": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#007d73" + }, + "dataSources": { + "primary": "ds_7FDRhb5m" + }, + "title": "Authentication success" + } + }, + "dataSources": { + "ds_TdanKF0I": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by agent.name\n\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_ut2DiVW9": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.mitre.id{}\"=\"*\" | table _time, agent.name, rule.mitre.id{}, rule.mitre.tactic{}, rule.description, rule.level, rule.id\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_EmDJmxMO": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | top limit=5 agent.name | chart count by agent.name\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + }, + "ds_5QIbKzqF": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | chart count by rule.groups", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_4" + }, + "ds_d9cN1Qn9": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_5" + }, + "ds_ZPT4uVoe": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" rule.level>=12 | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_6" + }, + "ds_d8m0U7Ph": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"authentication_failed\" OR \"rule.groups{}\"=\"win_authentication_failed\" OR \"rule.groups{}\"=\"authentication_failures\" | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_7" + }, + "ds_7FDRhb5m": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=authentication_success | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_8" + }, + "ds_UIfFJptm": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_9" + }, + "ds_z3i8WcOf": { + "type": "ds.search", + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + }, + "query": "wazuh-alerts-4.x-sample rule.groups=\"authentication_failures\" | stats count by rule.groups" + }, + "name": "Search_10" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_qYCIuSjF", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 291, + "h": 137 + } + }, + { + "item": "viz_oAPKLE0R", + "type": "block", + "position": { + "x": 0, + "y": 137, + "w": 731, + "h": 326 + } + }, + { + "item": "viz_Y07WmZ1b", + "type": "block", + "position": { + "x": 0, + "y": 463, + "w": 1200, + "h": 400 + } + }, + { + "item": "viz_aTlMnG7A", + "type": "block", + "position": { + "x": 291, + "y": 0, + "w": 286, + "h": 137 + } + }, + { + "item": "viz_R8LMR6U6", + "type": "block", + "position": { + "x": 577, + "y": 0, + "w": 301, + "h": 137 + } + }, + { + "item": "viz_DI7fpctI", + "type": "block", + "position": { + "x": 731, + "y": 137, + "w": 469, + "h": 326 + } + }, + { + "item": "viz_nDMI4ZGW", + "type": "block", + "position": { + "x": 878, + "y": 0, + "w": 322, + "h": 137 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-security-events-v1.0" +} \ No newline at end of file diff --git a/integrations/splunk/wazuh-vulnerabilities b/integrations/splunk/wazuh-vulnerabilities new file mode 100644 index 0000000000000..56174696e2673 --- /dev/null +++ b/integrations/splunk/wazuh-vulnerabilities @@ -0,0 +1,261 @@ +{ + "visualizations": { + "viz_XlLyYDmC": { + "type": "splunk.area", + "dataSources": { + "primary": "ds_DljIxEDR" + }, + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "title": "Alert severity" + }, + "viz_qzFw5Wx7": { + "type": "splunk.table", + "options": {}, + "dataSources": { + "primary": "ds_Irx4cEkl" + } + }, + "viz_3V3AvVY4": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_oyvgAG73" + }, + "title": "Critical Severity Alerts", + "options": { + "majorColor": "#db566f" + } + }, + "viz_cmEIbZ9q": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_TVyYlSRA" + }, + "title": "Hight Severity Alerts", + "options": { + "majorColor": "#0258a1" + } + }, + "viz_4QSVuglC": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_D0hAYmXA" + }, + "title": "Medium Severity Alerts", + "options": { + "majorColor": "#007d73" + } + }, + "viz_VI9ZdnSO": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_1KrtDz29" + }, + "title": "Low Severity Alerts", + "options": { + "majorColor": "#232323" + } + } + }, + "dataSources": { + "ds_DljIxEDR": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.vulnerability.severity useother=false usenull=false", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_31leL1fM": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_jymjmvtF": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + }, + "ds_jEwqnxee": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_4" + }, + "ds_Irx4cEkl": { + "type": "ds.search", + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + }, + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.vulnerability.cve\"=\"*\", \"data.vulnerability.package.name\"=\"*\", \"data.vulnerability.package.version\"=\"*\", \"data.vulnerability.severity\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.vulnerability.cve, data.vulnerability.package.name, data.vulnerability.package.version, data.vulnerability.severity, rule.id\n\n" + }, + "name": "Search_5" + }, + "ds_oyvgAG73": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Critical\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_6" + }, + "ds_TVyYlSRA": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"High\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_7" + }, + "ds_D0hAYmXA": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Medium\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_8" + }, + "ds_1KrtDz29": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Low\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_9" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_3V3AvVY4", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 279, + "h": 131 + } + }, + { + "item": "viz_XlLyYDmC", + "type": "block", + "position": { + "x": 0, + "y": 131, + "w": 1200, + "h": 284 + } + }, + { + "item": "viz_qzFw5Wx7", + "type": "block", + "position": { + "x": 0, + "y": 415, + "w": 1200, + "h": 251 + } + }, + { + "item": "viz_cmEIbZ9q", + "type": "block", + "position": { + "x": 279, + "y": 0, + "w": 293, + "h": 131 + } + }, + { + "item": "viz_4QSVuglC", + "type": "block", + "position": { + "x": 572, + "y": 0, + "w": 309, + "h": 131 + } + }, + { + "item": "viz_VI9ZdnSO", + "type": "block", + "position": { + "x": 881, + "y": 0, + "w": 319, + "h": 131 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-vulnerabilities-v1.0" +}