Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amazon Security Lake integration - Use Security Finding class #215

Closed
2 tasks done
AlexRuiz7 opened this issue Apr 25, 2024 · 1 comment · Fixed by #221
Closed
2 tasks done

Amazon Security Lake integration - Use Security Finding class #215

AlexRuiz7 opened this issue Apr 25, 2024 · 1 comment · Fixed by #221
Assignees
@AlexRuiz7
Labels
level/task Task issue type/enhancement Enhancement issue

Comments

@AlexRuiz7
Copy link
Member

AlexRuiz7 commented Apr 25, 2024
edited
Loading

Description

Related issue: #128

The Detection Finding class has proven to be unsupported by Amazon Security Lake (at least yet), as per the conclusions on #213.

Initially, we thought about using the Security Finding class. Refer to #145 and https://github.com/wazuh/internal-devel-requests/issues/699#issuecomment-1927242316 for more information about this mapping.

Tasks

  • Map Wazuh Events to OCSF Security Finding class.
  • Make the integration use this class.

Implementation restrictions

  • Extend the current code (keeping the existing mapping to the Detection Finding class), so we can upgrade in the future (the Security Finding class is deprecated).
  • By default, the integration will use the Security Finding class, but the class to use can be defined using an environment variable.
@AlexRuiz7 AlexRuiz7 added level/task Task issue type/enhancement Enhancement issue labels Apr 25, 2024
@AlexRuiz7 AlexRuiz7 self-assigned this Apr 25, 2024
@AlexRuiz7 AlexRuiz7 changed the title Amazon Security Lake integration - Map events to the OCSF Security Finding class Amazon Security Lake integration - Use Security Finding class Apr 25, 2024
@wazuhci wazuhci moved this to Backlog in Release 4.9.0 Apr 25, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 4.9.0 Apr 29, 2024
@AlexRuiz7
Copy link
Member Author

Successfully mapped events to the Security Finding class.

+---------------+------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------------+----------------+------------------+-------------+---------+-------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------+
|   activity_id | analytic                                                                                             | attacks                                                                                                     | category_name   |   category_uid | class_name       |   class_uid |   count | message                                         | finding                                                                                                                        | metadata                                                                                                                                                | raw_data                                                                                                     | resources                                                            |   risk_score |   severity_id |   state_id |   status_id |       time |   type_uid | unmapped                                                                                                            |
|---------------+------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------------+----------------+------------------+-------------+---------+-------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------|
|             1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       8 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'.                                             | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            7 |             2 |          1 |          99 | 1714394401 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |      16 | Audit: Command: /usr/sbin/consoletype           | {'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                              | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          1 |          99 | 1714394411 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '4454'}                   | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 4                                  | {'title': 'Sample alert 4', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                              | [{'name': 'RHEL7', 'uid': '001'}]                                    |            2 |             1 |          1 |          99 | 1714394406 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       4 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'.                                    | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          1 |          99 | 1714394456 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/crond                 | {'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                              | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          1 |          99 | 1714394446 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                  | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                              | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          1 |          99 | 1714394451 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       8 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'.                                       | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          1 |          99 | 1714394461 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       7 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic). | [{'name': 'Debian', 'uid': '007'}]                                   |            7 |             2 |          1 |          99 | 1714394649 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
+---------------+------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------------+----------------+------------------+-------------+---------+-------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------+


(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ parquet-tools show ~/Downloads/ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20240429_252e485ff62a480f98f8d13bb085c55e.parquet > parquet.txt
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ rm -rf parquet
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ mkdir parquet
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ cp ~/Downloads/ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20240429_252e485ff62a480f98f8d13bb085c55e.parquet parquet/
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ python validate.py -i parquet/

ATTEMPTING TO VALIDATE FILE: ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20240429_252e485ff62a480f98f8d13bb085c55e.parquet

VALID OCSF.

@AlexRuiz7 AlexRuiz7 mentioned this issue Apr 29, 2024
Merged
8 tasks
@wazuhci wazuhci moved this from In progress to Pending final review in Release 4.9.0 Apr 29, 2024
@wazuhci wazuhci moved this from Pending final review to Done in Release 4.9.0 Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlexRuiz7 AlexRuiz7

Labels
level/task Task issue type/enhancement Enhancement issue
Projects
No open projects
Release 4.9.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Map events to OCSF's Security Finding class wazuh/wazuh-indexer
1 participant
@AlexRuiz7