From ca30b7ebbd0255b9db98bf2dc92c1355a9060465 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Thu, 6 Jun 2024 18:25:12 +0200 Subject: [PATCH 1/5] Add Splunk integration Draft --- integrations/.gitignore | 4 +- integrations/docker/splunk.yml | 144 ++++++++++++++++++ integrations/splunk/README.md | 48 ++++++ integrations/splunk/config/default.yml | 25 +++ integrations/splunk/config/indexes.conf | 11 ++ .../logstash/pipeline/indexer-to-splunk.conf | 31 ++++ integrations/splunk/logstash/setup.sh | 10 ++ 7 files changed, 270 insertions(+), 3 deletions(-) create mode 100644 integrations/docker/splunk.yml create mode 100644 integrations/splunk/README.md create mode 100644 integrations/splunk/config/default.yml create mode 100644 integrations/splunk/config/indexes.conf create mode 100644 integrations/splunk/logstash/pipeline/indexer-to-splunk.conf create mode 100644 integrations/splunk/logstash/setup.sh diff --git a/integrations/.gitignore b/integrations/.gitignore index c7d6d28b2b4d7..b19d2a92e9ace 100644 --- a/integrations/.gitignore +++ b/integrations/.gitignore @@ -1,5 +1,3 @@ opensearch -splunk -common -config +external docker/certs \ No newline at end of file diff --git a/integrations/docker/splunk.yml b/integrations/docker/splunk.yml new file mode 100644 index 0000000000000..24251585e8936 --- /dev/null +++ b/integrations/docker/splunk.yml @@ -0,0 +1,144 @@ +name: "splunk-integration" + +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + # container_name: events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -a wazuh.indexer" + + wazuh.indexer: + image: opensearchproject/opensearch:2.12.0 + # container_name: wazuh.indexer + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + - node.name=wazuh.indexer + - discovery.type=single-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh.dashboard: + image: opensearchproject/opensearch-dashboards:2.12.0 + # container_name: wazuh.dashboard + depends_on: + - wazuh.indexer + hostname: wazuh.dashboard + ports: + - 5601:5601 # Map host port 5601 to container port 5601 + expose: + - "5601" # Expose port 5601 for web access to OpenSearch Dashboards + environment: + OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:0.0.1 + hostname: wazuh-certs-generator + # container_name: wazuh-certs-generator + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + + + # ================================= + # Splunk and Logstash + # ================================= + # https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html + + generator: + image: alpine/openssl:latest + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + volumes: + - ./certs/:/certs/ + entrypoint: > + sh -c " + openssl req -x509 -newkey rsa:4096 -passout pass:abcd1234 -keyout /certs/splunk.key -out /certs/splunk.pem -days 365 -subj '/CN=Wazuh' && + cat /certs/splunk.pem /certs/splunk.key /certs/root-ca.pem > /certs/splunkhec.pem + " + # entrypoint: > + # sh -c " + # cat /certs/splunk.pem /certs/splunk-key.pem /certs/root-ca.pem > /sp_certs/splunkhec.pem && + # cp /certs/splunk.pem /sp_certs/splunk.pem && + # cp /certs/splunk-key.pem /sp_certs/splunk-key.pem + # " + + splunk: + image: splunk/splunk:9.0.4 + volumes: + - ./certs:/opt/splunk/etc/auth/custom + - ../splunk/config/default.yml:/tmp/defaults/default.yml + - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + ports: + - '8000:8000' + - '8088:8088' + environment: + SPLUNK_START_ARGS: --accept-license + SPLUNK_HTTP_ENABLESSL: 'true' + # SPLUNK_HTTP_ENABLESSL_CERT: /opt/splunk/etc/auth/custom/splunk.pem + # SPLUNK_HTTP_ENABLESSL_PRIVKEY: /opt/splunk/etc/auth/custom/splunk.key + # SPLUNK_HTTP_ENABLESSL_PRIVKEY_PASSWORD: "abcd1234" + # SPLUNK_HEC_TOKEN: "abcd1234" + SPLUNK_PASSWORD: password + SPLUNK_HOSTNAME: splunk + SPLUNK_STANDALONE_URL: https://splunk:8080 + + logstash: + depends_on: + splunk: + condition: service_healthy + image: logstash-oss:8.6.2 + # container_name: logstash + build: + context: ../elastic + environment: + LOG_LEVEL: info + MONITORING_ENABLED: false + volumes: + - ../splunk/logstash/pipeline:/usr/share/logstash/pipeline + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + # - sp_certs:/etc/certs/elastic + command: logstash -f /usr/share/logstash/pipeline/indexer-to-splunk.conf + +volumes: + data: + sp_certs: diff --git a/integrations/splunk/README.md b/integrations/splunk/README.md new file mode 100644 index 0000000000000..a2086d9e21bc1 --- /dev/null +++ b/integrations/splunk/README.md @@ -0,0 +1,48 @@ +# Wazuh to Splunk Integration Developer Guide + +This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the Elastic Stack. For a detailed guide on how to integrate Wazuh with Elastic Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html). + +## Requirements + +- Docker and Docker Compose installed. + +## Usage + +1. Clone the Wazuh repository and navigate to the `integrations/` folder. +2. Run the following command to start the environment: + ```bash + docker compose -f ./docker/elastic.yml up -d + ``` + +The Docker Compose project will bring up the following services: + +- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). +- 1x Wazuh Indexer (OpenSearch). +- 1x Wazuh Dashboards (OpenSearch Dashboards). +- 1x Logstash +- 1x Splunk + +For custom configurations, you may need to modify these files: + +- [docker/elastic.yml](../docker/elastic.yml): Docker Compose file. +- [docker/.env](../docker/.env): Environment variables file. +- [elastic/logstash/pipeline/indexer-to-elastic.conf](./logstash/pipeline/indexer-to-elastic.conf): Logstash Pipeline configuration file. + +Check the files above for **credentials**, ports, and other configurations. + +| Service | Address | Credentials | +| ---------------- | ---------------------- | --------------- | +| Wazuh Indexer | https://localhost:9200 | admin:admin | +| Wazuh Dashboards | https://localhost:5601 | admin:admin | +| Elastic | https://localhost:9201 | elastic:elastic | +| Kibana | https://localhost:5602 | elastic:elastic | + +## Importing the dashboards + +The dashboards for Elastic are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to Elastic are the following: + +- On Kibana, expand the left menu, and go to `Stack management`. +- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. +- Click on Import and complete the process. + +Imported dashboards will appear in the `Dashboards` app on the left menu. diff --git a/integrations/splunk/config/default.yml b/integrations/splunk/config/default.yml new file mode 100644 index 0000000000000..b4f2ea2e542b3 --- /dev/null +++ b/integrations/splunk/config/default.yml @@ -0,0 +1,25 @@ +splunk: + conf: + - key: web + value: + directory: /opt/splunk/etc/system/local + content: + settings: + enablesSplunkWebSSL: true + privKeyPath: /opt/splunk/etc/auth/custom/splunk.key + serverCert: /opt/splunk/etc/auth/custom/splunk.pem + - key: server + value: + directory: /opt/splunk/etc/system/local + content: + general: + serverName: splunk + pass4SymmKey: dadqaBZA2fzxHOvfdlSQpKjIooupehTnmjysUx7j+bP1/NucBL+rch/Kw== + sslConfig: + serverCert: /opt/splunk/etc/auth/custom/splunkhec.pem + hec: + enable: True + ssl: True + port: 8088 + # hec.token is used only for ingestion (receiving Splunk events) + token: a51ddfbd-3a69-468f-a235-e63f5d9704cc diff --git a/integrations/splunk/config/indexes.conf b/integrations/splunk/config/indexes.conf new file mode 100644 index 0000000000000..81fe23e9e9515 --- /dev/null +++ b/integrations/splunk/config/indexes.conf @@ -0,0 +1,11 @@ +[default] +[wazuh-alerts] +coldPath = $SPLUNK_DB/wazuh/colddb +enableDataIntegrityControl = 1 +enableTsidxReduction = 1 +homePath = $SPLUNK_DB/wazuh/db +maxTotalDataSizeMB = 512000 +thawedPath = $SPLUNK_DB/wazuh/thaweddb +timePeriodInSecBeforeTsidxReduction = 15552000 +tsidxReductionCheckPeriodInSec = + diff --git a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf new file mode 100644 index 0000000000000..9449e0f79393d --- /dev/null +++ b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf @@ -0,0 +1,31 @@ +input { + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + schedule => "* * * * *" + } +} + + +output { + http { + format => "json" + http_method => "post" + url => "https://splunk:8088/services/collector/raw" + headers => ["Authorization", "Splunk a51ddfbd-3a69-468f-a235-e63f5d9704cc"] + cacert => "/usr/share/logstash/root-ca.pem" + } +} diff --git a/integrations/splunk/logstash/setup.sh b/integrations/splunk/logstash/setup.sh new file mode 100644 index 0000000000000..4852d27efd5e1 --- /dev/null +++ b/integrations/splunk/logstash/setup.sh @@ -0,0 +1,10 @@ +#!/usr/bin/bash + +# This script creates and configures a keystore for Logstash to store +# indexer's credentials. NOTE: works only for dockerized logstash. +# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html + +# Create keystore +/usr/share/logstash/bin/logstash-keystore create +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD From 6394545d7319950491c7b5c3d26ecf5c602202c5 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Fri, 7 Jun 2024 09:22:05 -0300 Subject: [PATCH 2/5] Fix certificate errors --- integrations/docker/splunk.yml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/integrations/docker/splunk.yml b/integrations/docker/splunk.yml index 24251585e8936..a258188aef2c7 100644 --- a/integrations/docker/splunk.yml +++ b/integrations/docker/splunk.yml @@ -89,8 +89,8 @@ services: - ./certs/:/certs/ entrypoint: > sh -c " - openssl req -x509 -newkey rsa:4096 -passout pass:abcd1234 -keyout /certs/splunk.key -out /certs/splunk.pem -days 365 -subj '/CN=Wazuh' && - cat /certs/splunk.pem /certs/splunk.key /certs/root-ca.pem > /certs/splunkhec.pem + openssl req -x509 -newkey rsa:4096 -passout pass:abcd1234 -keyout /certs/splunk.key -out /certs/splunk.pem -days 365 -subj '/CN=splunk' + chmod a+r /certs/splunk.{key,pem} " # entrypoint: > # sh -c " @@ -102,9 +102,11 @@ services: splunk: image: splunk/splunk:9.0.4 volumes: - - ./certs:/opt/splunk/etc/auth/custom - - ../splunk/config/default.yml:/tmp/defaults/default.yml + - ./certs/splunk.key:/home/splunk.key + - ./certs/splunk.pem:/home/splunk.pem - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf + # - ./certs:/opt/splunk/etc/auth/custom + # - ../splunk/config/default.yml:/tmp/defaults/default.yml depends_on: wazuh-certs-generator: condition: service_completed_successfully @@ -114,13 +116,13 @@ services: environment: SPLUNK_START_ARGS: --accept-license SPLUNK_HTTP_ENABLESSL: 'true' - # SPLUNK_HTTP_ENABLESSL_CERT: /opt/splunk/etc/auth/custom/splunk.pem - # SPLUNK_HTTP_ENABLESSL_PRIVKEY: /opt/splunk/etc/auth/custom/splunk.key - # SPLUNK_HTTP_ENABLESSL_PRIVKEY_PASSWORD: "abcd1234" - # SPLUNK_HEC_TOKEN: "abcd1234" - SPLUNK_PASSWORD: password - SPLUNK_HOSTNAME: splunk - SPLUNK_STANDALONE_URL: https://splunk:8080 + SPLUNK_HTTP_ENABLESSL_CERT: /home/splunk.pem + SPLUNK_HTTP_ENABLESSL_PRIVKEY: /home/splunk.key + SPLUNK_HTTP_ENABLESSL_PRIVKEY_PASSWORD: "abcd1234" + SPLUNK_HEC_TOKEN: "abcd1234" + SPLUNK_PASSWORD: Password.1234 + #SPLUNK_HOSTNAME: splunk + #SPLUNK_STANDALONE_URL: https://splunk:8080 logstash: depends_on: From 6a642c6193b06ba42b77ab98f1d21384a6ba7dc6 Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 10 Jun 2024 09:40:49 -0300 Subject: [PATCH 3/5] Add cfssl container to generate and sign splunk certs --- integrations/docker/splunk.yml | 69 +++++++++++++------ integrations/splunk/config/default.yml | 4 +- .../logstash/pipeline/indexer-to-splunk.conf | 2 +- 3 files changed, 52 insertions(+), 23 deletions(-) diff --git a/integrations/docker/splunk.yml b/integrations/docker/splunk.yml index a258188aef2c7..4990a52211c7b 100644 --- a/integrations/docker/splunk.yml +++ b/integrations/docker/splunk.yml @@ -80,48 +80,77 @@ services: # ================================= # https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html + #generator: + # image: alpine/openssl:latest + # depends_on: + # wazuh-certs-generator: + # condition: service_completed_successfully + # volumes: + # - ./certs/:/certs/ + # entrypoint: > + # sh -c " + # openssl req -x509 -newkey rsa:4096 -passout pass:abcd1234 -keyout /certs/splunk.key -out /certs/splunk.pem -days 365 -subj '/CN=splunk' + # chmod a+r /certs/splunk.{key,pem} + # " + # # entrypoint: > + # # sh -c " + # # cat /certs/splunk.pem /certs/splunk-key.pem /certs/root-ca.pem > /sp_certs/splunkhec.pem && + # # cp /certs/splunk.pem /sp_certs/splunk.pem && + # # cp /certs/splunk-key.pem /sp_certs/splunk-key.pem + # # " generator: - image: alpine/openssl:latest + image: cfssl/cfssl depends_on: wazuh-certs-generator: condition: service_completed_successfully volumes: - ./certs/:/certs/ - entrypoint: > - sh -c " - openssl req -x509 -newkey rsa:4096 -passout pass:abcd1234 -keyout /certs/splunk.key -out /certs/splunk.pem -days 365 -subj '/CN=splunk' - chmod a+r /certs/splunk.{key,pem} - " - # entrypoint: > - # sh -c " - # cat /certs/splunk.pem /certs/splunk-key.pem /certs/root-ca.pem > /sp_certs/splunkhec.pem && - # cp /certs/splunk.pem /sp_certs/splunk.pem && - # cp /certs/splunk-key.pem /sp_certs/splunk-key.pem - # " + - ../splunk/cfssl/:/conf/ + entrypoint: /bin/bash + command: > + -c ' + cd /certs + cat /conf/host.json | \ + cfssl gencert \ + -ca root-ca.pem \ + -ca-key root-ca.key \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare splunk + openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key + rm splunk.csr + cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem + chown -R 1000:1000 /certs/splunk* + ' splunk: image: splunk/splunk:9.0.4 volumes: - - ./certs/splunk.key:/home/splunk.key - - ./certs/splunk.pem:/home/splunk.pem + - ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key + - ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem + - ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf + - ../splunk/config/default.yml:/tmp/defaults/default.yml # - ./certs:/opt/splunk/etc/auth/custom - # - ../splunk/config/default.yml:/tmp/defaults/default.yml depends_on: wazuh-certs-generator: condition: service_completed_successfully + generator: + condition: service_completed_successfully ports: - '8000:8000' - '8088:8088' environment: - SPLUNK_START_ARGS: --accept-license - SPLUNK_HTTP_ENABLESSL: 'true' - SPLUNK_HTTP_ENABLESSL_CERT: /home/splunk.pem - SPLUNK_HTTP_ENABLESSL_PRIVKEY: /home/splunk.key - SPLUNK_HTTP_ENABLESSL_PRIVKEY_PASSWORD: "abcd1234" SPLUNK_HEC_TOKEN: "abcd1234" + SPLUNK_HOSTNAME: splunk + SPLUNK_HTTP_ENABLESSL: 'true' SPLUNK_PASSWORD: Password.1234 + SPLUNK_STANDALONE_URL: https://splunk:8080 + SPLUNK_START_ARGS: --accept-license #SPLUNK_HOSTNAME: splunk + #SPLUNK_HTTP_ENABLESSL_CERT: /opt/splunk/etc/auth/custom/splunk.pem + #SPLUNK_HTTP_ENABLESSL_PRIVKEY: /opt/splunk/etc/auth/custom/splunk.key + #SPLUNK_HTTP_ENABLESSL_PRIVKEY_PASSWORD: "abcd1234" #SPLUNK_STANDALONE_URL: https://splunk:8080 logstash: diff --git a/integrations/splunk/config/default.yml b/integrations/splunk/config/default.yml index b4f2ea2e542b3..e5725ce9bc785 100644 --- a/integrations/splunk/config/default.yml +++ b/integrations/splunk/config/default.yml @@ -5,7 +5,7 @@ splunk: directory: /opt/splunk/etc/system/local content: settings: - enablesSplunkWebSSL: true + #enablesSplunkWebSSL: true privKeyPath: /opt/splunk/etc/auth/custom/splunk.key serverCert: /opt/splunk/etc/auth/custom/splunk.pem - key: server @@ -22,4 +22,4 @@ splunk: ssl: True port: 8088 # hec.token is used only for ingestion (receiving Splunk events) - token: a51ddfbd-3a69-468f-a235-e63f5d9704cc + token: abcd1234 diff --git a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf index 9449e0f79393d..2b7fb10f7e868 100644 --- a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf +++ b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf @@ -25,7 +25,7 @@ output { format => "json" http_method => "post" url => "https://splunk:8088/services/collector/raw" - headers => ["Authorization", "Splunk a51ddfbd-3a69-468f-a235-e63f5d9704cc"] + headers => ["Authorization", "Splunk abcd1234"] cacert => "/usr/share/logstash/root-ca.pem" } } From 50d7f5947a2461c862c52418d8e178f351e8588f Mon Sep 17 00:00:00 2001 From: Fede Tux Date: Mon, 10 Jun 2024 09:42:06 -0300 Subject: [PATCH 4/5] Add cfssl configuration fiels --- integrations/splunk/cfssl/ca.json | 15 +++++++ integrations/splunk/cfssl/cfssl.json | 58 ++++++++++++++++++++++++++++ integrations/splunk/cfssl/host.json | 19 +++++++++ 3 files changed, 92 insertions(+) create mode 100644 integrations/splunk/cfssl/ca.json create mode 100644 integrations/splunk/cfssl/cfssl.json create mode 100644 integrations/splunk/cfssl/host.json diff --git a/integrations/splunk/cfssl/ca.json b/integrations/splunk/cfssl/ca.json new file mode 100644 index 0000000000000..8a96a70a42c42 --- /dev/null +++ b/integrations/splunk/cfssl/ca.json @@ -0,0 +1,15 @@ +{ + "CN": "Wazuh", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "San Francisco", + "O": "Wazuh", + "OU": "Wazuh Root CA" + } + ] +} diff --git a/integrations/splunk/cfssl/cfssl.json b/integrations/splunk/cfssl/cfssl.json new file mode 100644 index 0000000000000..d23daf762100e --- /dev/null +++ b/integrations/splunk/cfssl/cfssl.json @@ -0,0 +1,58 @@ +{ + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "intermediate_ca": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "cert sign", + "crl sign", + "server auth", + "client auth" + ], + "expiry": "8760h", + "ca_constraint": { + "is_ca": true, + "max_path_len": 0, + "max_path_len_zero": true + } + }, + "peer": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth", + "server auth" + ], + "expiry": "8760h" + }, + "server": { + "usages": [ + "signing", + "digital signing", + "key encipherment", + "data encipherment", + "server auth" + ], + "expiry": "8760h" + }, + "client": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth" + ], + "expiry": "8760h" + } + } + } +} + diff --git a/integrations/splunk/cfssl/host.json b/integrations/splunk/cfssl/host.json new file mode 100644 index 0000000000000..e1d3cd064b842 --- /dev/null +++ b/integrations/splunk/cfssl/host.json @@ -0,0 +1,19 @@ +{ + "CN": "splunk", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "California", + "O": "Wazuh", + "OU": "Wazuh" + } + ], + "hosts": [ + "splunk", + "localhost" + ] +} From 6d9685be63161506ceb1659cc097b19f9f0ac70b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Mon, 10 Jun 2024 19:27:28 +0200 Subject: [PATCH 5/5] Update Splunk integration --- integrations/.gitignore | 2 - integrations/docker/splunk.yml | 36 +-- integrations/splunk/README.md | 31 +- integrations/splunk/config/default.yml | 2 +- .../logstash/pipeline/indexer-to-splunk.conf | 2 +- integrations/splunk/wazuh-amazon-aws | 136 ++++++++ integrations/splunk/wazuh-docker-listener | 130 ++++++++ integrations/splunk/wazuh-incident-response | 135 ++++++++ integrations/splunk/wazuh-malware-detection | 136 ++++++++ integrations/splunk/wazuh-pci-dss | 136 ++++++++ integrations/splunk/wazuh-security-events | 296 ++++++++++++++++++ integrations/splunk/wazuh-vulnerabilities | 261 +++++++++++++++ 12 files changed, 1250 insertions(+), 53 deletions(-) create mode 100644 integrations/splunk/wazuh-amazon-aws create mode 100644 integrations/splunk/wazuh-docker-listener create mode 100644 integrations/splunk/wazuh-incident-response create mode 100644 integrations/splunk/wazuh-malware-detection create mode 100644 integrations/splunk/wazuh-pci-dss create mode 100644 integrations/splunk/wazuh-security-events create mode 100644 integrations/splunk/wazuh-vulnerabilities diff --git a/integrations/.gitignore b/integrations/.gitignore index 628a41a544786..a9728d8767e3a 100644 --- a/integrations/.gitignore +++ b/integrations/.gitignore @@ -1,4 +1,2 @@ external -common -config docker/certs \ No newline at end of file diff --git a/integrations/docker/splunk.yml b/integrations/docker/splunk.yml index 4990a52211c7b..91d4f346cca81 100644 --- a/integrations/docker/splunk.yml +++ b/integrations/docker/splunk.yml @@ -5,7 +5,6 @@ services: image: wazuh/indexer-events-generator build: context: ../tools/events-generator - # container_name: events-generator depends_on: wazuh.indexer: condition: service_healthy @@ -13,7 +12,6 @@ services: wazuh.indexer: image: opensearchproject/opensearch:2.12.0 - # container_name: wazuh.indexer depends_on: wazuh-certs-generator: condition: service_completed_successfully @@ -54,7 +52,6 @@ services: wazuh.dashboard: image: opensearchproject/opensearch-dashboards:2.12.0 - # container_name: wazuh.dashboard depends_on: - wazuh.indexer hostname: wazuh.dashboard @@ -68,7 +65,6 @@ services: wazuh-certs-generator: image: wazuh/wazuh-certs-generator:0.0.1 hostname: wazuh-certs-generator - # container_name: wazuh-certs-generator entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" volumes: - ./certs/:/certificates/ @@ -78,26 +74,7 @@ services: # ================================= # Splunk and Logstash # ================================= - # https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html - #generator: - # image: alpine/openssl:latest - # depends_on: - # wazuh-certs-generator: - # condition: service_completed_successfully - # volumes: - # - ./certs/:/certs/ - # entrypoint: > - # sh -c " - # openssl req -x509 -newkey rsa:4096 -passout pass:abcd1234 -keyout /certs/splunk.key -out /certs/splunk.pem -days 365 -subj '/CN=splunk' - # chmod a+r /certs/splunk.{key,pem} - # " - # # entrypoint: > - # # sh -c " - # # cat /certs/splunk.pem /certs/splunk-key.pem /certs/root-ca.pem > /sp_certs/splunkhec.pem && - # # cp /certs/splunk.pem /sp_certs/splunk.pem && - # # cp /certs/splunk-key.pem /sp_certs/splunk-key.pem - # # " generator: image: cfssl/cfssl depends_on: @@ -131,7 +108,6 @@ services: - ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf - ../splunk/config/default.yml:/tmp/defaults/default.yml - # - ./certs:/opt/splunk/etc/auth/custom depends_on: wazuh-certs-generator: condition: service_completed_successfully @@ -147,29 +123,21 @@ services: SPLUNK_PASSWORD: Password.1234 SPLUNK_STANDALONE_URL: https://splunk:8080 SPLUNK_START_ARGS: --accept-license - #SPLUNK_HOSTNAME: splunk - #SPLUNK_HTTP_ENABLESSL_CERT: /opt/splunk/etc/auth/custom/splunk.pem - #SPLUNK_HTTP_ENABLESSL_PRIVKEY: /opt/splunk/etc/auth/custom/splunk.key - #SPLUNK_HTTP_ENABLESSL_PRIVKEY_PASSWORD: "abcd1234" - #SPLUNK_STANDALONE_URL: https://splunk:8080 - + logstash: depends_on: splunk: condition: service_healthy image: logstash-oss:8.6.2 - # container_name: logstash build: - context: ../elastic + context: ../splunk environment: LOG_LEVEL: info MONITORING_ENABLED: false volumes: - ../splunk/logstash/pipeline:/usr/share/logstash/pipeline - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - # - sp_certs:/etc/certs/elastic command: logstash -f /usr/share/logstash/pipeline/indexer-to-splunk.conf volumes: data: - sp_certs: diff --git a/integrations/splunk/README.md b/integrations/splunk/README.md index a2086d9e21bc1..203ea83457114 100644 --- a/integrations/splunk/README.md +++ b/integrations/splunk/README.md @@ -1,6 +1,6 @@ # Wazuh to Splunk Integration Developer Guide -This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the Elastic Stack. For a detailed guide on how to integrate Wazuh with Elastic Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html). +This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and Splunk. For a detailed guide on how to integrate Wazuh with Splunk, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/splunk/index.html). ## Requirements @@ -11,7 +11,7 @@ This document describes how to prepare a Docker Compose environment to test the 1. Clone the Wazuh repository and navigate to the `integrations/` folder. 2. Run the following command to start the environment: ```bash - docker compose -f ./docker/elastic.yml up -d + docker compose -f ./docker/splunk.yml up -d ``` The Docker Compose project will bring up the following services: @@ -24,25 +24,26 @@ The Docker Compose project will bring up the following services: For custom configurations, you may need to modify these files: -- [docker/elastic.yml](../docker/elastic.yml): Docker Compose file. +- [docker/splunk.yml](../docker/splunk.yml): Docker Compose file. - [docker/.env](../docker/.env): Environment variables file. -- [elastic/logstash/pipeline/indexer-to-elastic.conf](./logstash/pipeline/indexer-to-elastic.conf): Logstash Pipeline configuration file. +- [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file. Check the files above for **credentials**, ports, and other configurations. -| Service | Address | Credentials | -| ---------------- | ---------------------- | --------------- | -| Wazuh Indexer | https://localhost:9200 | admin:admin | -| Wazuh Dashboards | https://localhost:5601 | admin:admin | -| Elastic | https://localhost:9201 | elastic:elastic | -| Kibana | https://localhost:5602 | elastic:elastic | +| Service | Address | Credentials | +| ---------------- | ---------------------- | ------------------- | +| Wazuh Indexer | https://localhost:9200 | admin:admin | +| Wazuh Dashboards | https://localhost:5601 | admin:admin | +| Splunk | https://localhost:8000 | admin:Password.1234 | ## Importing the dashboards -The dashboards for Elastic are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to Elastic are the following: +The dashboards for Splunk are included in this folder. The steps to import them to Splunk are the following: -- On Kibana, expand the left menu, and go to `Stack management`. -- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. -- Click on Import and complete the process. +- In the Splunk UI, go to `Settings` > `Data Inputs` > `HTTP Event Collector` and make sure that the `hec` token is enabled and uses the `wazuh-alerts` index. +- Open a dashboard file and copy all its content. +- In the Splunk UI, navigate to `Search & Reporting`, `Dashboards`, click `Create New Dashboard`, write the title and select `Dashboard Studio`, select `Grid` and click on `Create`. +- On the top menu, there is a `Source` icon. Click on it, and replace all the content with the copied content from the dashboard file. After that, click on `Back` and click on `Save`. +- Repeat the steps for all the desired dashboards. -Imported dashboards will appear in the `Dashboards` app on the left menu. +Imported dashboards will appear under `Search & Reporting` > `Dashboards`. diff --git a/integrations/splunk/config/default.yml b/integrations/splunk/config/default.yml index e5725ce9bc785..e9e0637d69a60 100644 --- a/integrations/splunk/config/default.yml +++ b/integrations/splunk/config/default.yml @@ -5,7 +5,7 @@ splunk: directory: /opt/splunk/etc/system/local content: settings: - #enablesSplunkWebSSL: true + enablesSplunkWebSSL: true privKeyPath: /opt/splunk/etc/auth/custom/splunk.key serverCert: /opt/splunk/etc/auth/custom/splunk.pem - key: server diff --git a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf index 2b7fb10f7e868..fe6042f4c4e0c 100644 --- a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf +++ b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf @@ -22,7 +22,7 @@ input { output { http { - format => "json" + format => "json" http_method => "post" url => "https://splunk:8088/services/collector/raw" headers => ["Authorization", "Splunk abcd1234"] diff --git a/integrations/splunk/wazuh-amazon-aws b/integrations/splunk/wazuh-amazon-aws new file mode 100644 index 0000000000000..84cd253410bb2 --- /dev/null +++ b/integrations/splunk/wazuh-amazon-aws @@ -0,0 +1,136 @@ +{ + "visualizations": { + "viz_lTJLU7ar": { + "type": "splunk.area", + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count", + "legendDisplay": "left" + }, + "dataSources": { + "primary": "ds_BHh1kZmb" + }, + "title": "Events by source over time" + }, + "viz_l5qazB46": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_Y2J0psR4" + }, + "title": "Sources" + }, + "viz_1JzeNwnq": { + "type": "splunk.table", + "title": "Events", + "dataSources": { + "primary": "ds_K2y81pak" + } + } + }, + "dataSources": { + "ds_BHh1kZmb": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | timechart count by \"data.aws.source\"" + }, + "name": "Search_1" + }, + "ds_Y2J0psR4": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | chart count by \"data.aws.source\"" + }, + "name": "Search_2" + }, + "ds_K2y81pak": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.aws.source\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.aws.source, rule.description, rule.level, rule.id" + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_lTJLU7ar", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 795, + "h": 334 + } + }, + { + "item": "viz_1JzeNwnq", + "type": "block", + "position": { + "x": 0, + "y": 334, + "w": 1200, + "h": 358 + } + }, + { + "item": "viz_l5qazB46", + "type": "block", + "position": { + "x": 795, + "y": 0, + "w": 405, + "h": 334 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-amazon-aws-v1.0" +} diff --git a/integrations/splunk/wazuh-docker-listener b/integrations/splunk/wazuh-docker-listener new file mode 100644 index 0000000000000..756d9145b8875 --- /dev/null +++ b/integrations/splunk/wazuh-docker-listener @@ -0,0 +1,130 @@ +{ + "visualizations": { + "viz_OcJb59wC": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_5TEzCbIf" + }, + "title": "Top 5 events" + }, + "viz_bQPbbrvw": { + "type": "splunk.column", + "title": "Events by source over time", + "dataSources": { + "primary": "ds_l6nQN96B" + }, + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + } + }, + "viz_7GGKwL33": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_gW45zmr5" + }, + "title": "Events" + } + }, + "dataSources": { + "ds_5TEzCbIf": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | top limit=5 data.docker.Action | chart count by data.docker.Action", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_1" + }, + "ds_l6nQN96B": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.docker.Type useother=false usenull=false\n", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_2" + }, + "ds_gW45zmr5": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.docker.Type\"=\"*\", \"data.docker.Actor.ID\"=\"*\", \"data.docker.Action\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.docker.Type, data.docker.Actor.ID, data.docker.Action, rule.description, rule.level, rule.id", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-24h@h,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_OcJb59wC", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 415, + "h": 316 + } + }, + { + "item": "viz_7GGKwL33", + "type": "block", + "position": { + "x": 0, + "y": 316, + "w": 1200, + "h": 378 + } + }, + { + "item": "viz_bQPbbrvw", + "type": "block", + "position": { + "x": 415, + "y": 0, + "w": 785, + "h": 316 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-docker-listener-v1.0" +} diff --git a/integrations/splunk/wazuh-incident-response b/integrations/splunk/wazuh-incident-response new file mode 100644 index 0000000000000..7b9f20005ff08 --- /dev/null +++ b/integrations/splunk/wazuh-incident-response @@ -0,0 +1,135 @@ +{ + "visualizations": { + "viz_bRMOrrNo": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_T5OG9qjO" + }, + "title": "Alert groups" + }, + "viz_iOvmhhgU": { + "type": "splunk.table", + "options": {}, + "dataSources": { + "primary": "ds_tnYl87gQ" + } + }, + "viz_P0bNNVfw": { + "type": "splunk.column", + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_GccX6Lrj" + }, + "title": "Events" + } + }, + "dataSources": { + "ds_T5OG9qjO": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"*\" | top limit=5 \"rule.groups{}\" | chart count by \"rule.groups{}\" useother=false usenull=false", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_tnYl87gQ": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.groups{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.groups{}, rule.description, rule.level, rule.id", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_GccX6Lrj": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"audit\" | timechart count by \"rule.groups{}\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_bRMOrrNo", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 388, + "h": 292 + } + }, + { + "item": "viz_iOvmhhgU", + "type": "block", + "position": { + "x": 0, + "y": 292, + "w": 1200, + "h": 399 + } + }, + { + "item": "viz_P0bNNVfw", + "type": "block", + "position": { + "x": 388, + "y": 0, + "w": 812, + "h": 292 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-incident-response-v1.0" +} diff --git a/integrations/splunk/wazuh-malware-detection b/integrations/splunk/wazuh-malware-detection new file mode 100644 index 0000000000000..620e8bbb37116 --- /dev/null +++ b/integrations/splunk/wazuh-malware-detection @@ -0,0 +1,136 @@ +{ + "visualizations": { + "viz_Q5GQT6h2": { + "type": "splunk.area", + "dataSources": { + "primary": "ds_N3cdEic4" + }, + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "title": "Emotet malware activity" + }, + "viz_U8vFKyUp": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_f5AJxLS5" + }, + "title": "Security alerts" + }, + "viz_uLQLGVbg": { + "type": "splunk.line", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_IcWLWjPn" + }, + "title": "Rootkits activity over time" + } + }, + "dataSources": { + "ds_N3cdEic4": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"rootcheck\" | timechart count by \"rule.groups{}\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_f5AJxLS5": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.mitre.technique{}\"=\"*\", \"rule.mitre.tactic{}\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\", \"rule.description\"=\"*\" | table _time, agent.name, rule.mitre.technique{}, rule.mitre.tactic{}, rule.level, rule.id, rule.description\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_IcWLWjPn": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.title useother=false usenull=false\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_Q5GQT6h2", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 458, + "h": 293 + } + }, + { + "item": "viz_U8vFKyUp", + "type": "block", + "position": { + "x": 0, + "y": 293, + "w": 1200, + "h": 381 + } + }, + { + "item": "viz_uLQLGVbg", + "type": "block", + "position": { + "x": 458, + "y": 0, + "w": 742, + "h": 293 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-malware-detection-v1.0" +} diff --git a/integrations/splunk/wazuh-pci-dss b/integrations/splunk/wazuh-pci-dss new file mode 100644 index 0000000000000..681acc9193b81 --- /dev/null +++ b/integrations/splunk/wazuh-pci-dss @@ -0,0 +1,136 @@ +{ + "visualizations": { + "viz_9NIbkgTo": { + "type": "splunk.bubble", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_g3vSgFS7" + }, + "title": "PCI DSS requirements" + }, + "viz_Z6CAbCjJ": { + "type": "splunk.column", + "options": { + "stackMode": "stacked", + "yAxisTitleText": "count", + "xAxisTitleText": "requirements" + }, + "dataSources": { + "primary": "ds_lljKZIBi" + }, + "title": "Requirements by agent" + }, + "viz_AtTGNj0f": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_9ABDZ4aq" + }, + "title": "Recent events" + } + }, + "dataSources": { + "ds_g3vSgFS7": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.pci_dss{}\"=\"*\" | timechart count by \"rule.pci_dss{}\"\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_lljKZIBi": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\" | chart count by \"rule.pci_dss{}\", \"agent.name\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_9ABDZ4aq": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.pci_dss{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.pci_dss{}, rule.description, rule.level, rule.id", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_9NIbkgTo", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 629, + "h": 400 + } + }, + { + "item": "viz_AtTGNj0f", + "type": "block", + "position": { + "x": 0, + "y": 400, + "w": 1200, + "h": 291 + } + }, + { + "item": "viz_Z6CAbCjJ", + "type": "block", + "position": { + "x": 629, + "y": 0, + "w": 571, + "h": 400 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-pci-dss-v1.0" +} \ No newline at end of file diff --git a/integrations/splunk/wazuh-security-events b/integrations/splunk/wazuh-security-events new file mode 100644 index 0000000000000..7d5d033ab0bec --- /dev/null +++ b/integrations/splunk/wazuh-security-events @@ -0,0 +1,296 @@ +{ + "visualizations": { + "viz_oAPKLE0R": { + "type": "splunk.column", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "Count", + "stackMode": "stacked" + }, + "dataSources": { + "primary": "ds_TdanKF0I" + }, + "showProgressBar": false, + "showLastUpdated": false, + "title": "Alerts evolution - Top 5 agents", + "description": "" + }, + "viz_Y07WmZ1b": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_ut2DiVW9" + }, + "title": "Security alerts", + "description": "" + }, + "viz_DI7fpctI": { + "type": "splunk.pie", + "dataSources": { + "primary": "ds_EmDJmxMO" + }, + "showProgressBar": false, + "showLastUpdated": false, + "title": "Top Mitre ATT&K tactics" + }, + "viz_qYCIuSjF": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#0258a1", + "trendColor": "#000000" + }, + "dataSources": { + "primary": "ds_d9cN1Qn9" + }, + "title": "Total" + }, + "viz_aTlMnG7A": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#db566f" + }, + "dataSources": { + "primary": "ds_ZPT4uVoe" + }, + "title": "Level 12 or above alerts" + }, + "viz_R8LMR6U6": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#bf0561" + }, + "dataSources": { + "primary": "ds_d8m0U7Ph" + }, + "title": "Authentication failure" + }, + "viz_nDMI4ZGW": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#007d73" + }, + "dataSources": { + "primary": "ds_7FDRhb5m" + }, + "title": "Authentication success" + } + }, + "dataSources": { + "ds_TdanKF0I": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by agent.name\n\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_ut2DiVW9": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.mitre.id{}\"=\"*\" | table _time, agent.name, rule.mitre.id{}, rule.mitre.tactic{}, rule.description, rule.level, rule.id\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_EmDJmxMO": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | top limit=5 agent.name | chart count by agent.name\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + }, + "ds_5QIbKzqF": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | chart count by rule.groups", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_4" + }, + "ds_d9cN1Qn9": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_5" + }, + "ds_ZPT4uVoe": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" rule.level>=12 | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_6" + }, + "ds_d8m0U7Ph": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"authentication_failed\" OR \"rule.groups{}\"=\"win_authentication_failed\" OR \"rule.groups{}\"=\"authentication_failures\" | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_7" + }, + "ds_7FDRhb5m": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=authentication_success | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_8" + }, + "ds_UIfFJptm": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_9" + }, + "ds_z3i8WcOf": { + "type": "ds.search", + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + }, + "query": "wazuh-alerts-4.x-sample rule.groups=\"authentication_failures\" | stats count by rule.groups" + }, + "name": "Search_10" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_qYCIuSjF", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 291, + "h": 137 + } + }, + { + "item": "viz_oAPKLE0R", + "type": "block", + "position": { + "x": 0, + "y": 137, + "w": 731, + "h": 326 + } + }, + { + "item": "viz_Y07WmZ1b", + "type": "block", + "position": { + "x": 0, + "y": 463, + "w": 1200, + "h": 400 + } + }, + { + "item": "viz_aTlMnG7A", + "type": "block", + "position": { + "x": 291, + "y": 0, + "w": 286, + "h": 137 + } + }, + { + "item": "viz_R8LMR6U6", + "type": "block", + "position": { + "x": 577, + "y": 0, + "w": 301, + "h": 137 + } + }, + { + "item": "viz_DI7fpctI", + "type": "block", + "position": { + "x": 731, + "y": 137, + "w": 469, + "h": 326 + } + }, + { + "item": "viz_nDMI4ZGW", + "type": "block", + "position": { + "x": 878, + "y": 0, + "w": 322, + "h": 137 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-security-events-v1.0" +} \ No newline at end of file diff --git a/integrations/splunk/wazuh-vulnerabilities b/integrations/splunk/wazuh-vulnerabilities new file mode 100644 index 0000000000000..56174696e2673 --- /dev/null +++ b/integrations/splunk/wazuh-vulnerabilities @@ -0,0 +1,261 @@ +{ + "visualizations": { + "viz_XlLyYDmC": { + "type": "splunk.area", + "dataSources": { + "primary": "ds_DljIxEDR" + }, + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "title": "Alert severity" + }, + "viz_qzFw5Wx7": { + "type": "splunk.table", + "options": {}, + "dataSources": { + "primary": "ds_Irx4cEkl" + } + }, + "viz_3V3AvVY4": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_oyvgAG73" + }, + "title": "Critical Severity Alerts", + "options": { + "majorColor": "#db566f" + } + }, + "viz_cmEIbZ9q": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_TVyYlSRA" + }, + "title": "Hight Severity Alerts", + "options": { + "majorColor": "#0258a1" + } + }, + "viz_4QSVuglC": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_D0hAYmXA" + }, + "title": "Medium Severity Alerts", + "options": { + "majorColor": "#007d73" + } + }, + "viz_VI9ZdnSO": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_1KrtDz29" + }, + "title": "Low Severity Alerts", + "options": { + "majorColor": "#232323" + } + } + }, + "dataSources": { + "ds_DljIxEDR": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.vulnerability.severity useother=false usenull=false", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_31leL1fM": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_jymjmvtF": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + }, + "ds_jEwqnxee": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_4" + }, + "ds_Irx4cEkl": { + "type": "ds.search", + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + }, + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.vulnerability.cve\"=\"*\", \"data.vulnerability.package.name\"=\"*\", \"data.vulnerability.package.version\"=\"*\", \"data.vulnerability.severity\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.vulnerability.cve, data.vulnerability.package.name, data.vulnerability.package.version, data.vulnerability.severity, rule.id\n\n" + }, + "name": "Search_5" + }, + "ds_oyvgAG73": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Critical\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_6" + }, + "ds_TVyYlSRA": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"High\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_7" + }, + "ds_D0hAYmXA": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Medium\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_8" + }, + "ds_1KrtDz29": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Low\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_9" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_3V3AvVY4", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 279, + "h": 131 + } + }, + { + "item": "viz_XlLyYDmC", + "type": "block", + "position": { + "x": 0, + "y": 131, + "w": 1200, + "h": 284 + } + }, + { + "item": "viz_qzFw5Wx7", + "type": "block", + "position": { + "x": 0, + "y": 415, + "w": 1200, + "h": 251 + } + }, + { + "item": "viz_cmEIbZ9q", + "type": "block", + "position": { + "x": 279, + "y": 0, + "w": 293, + "h": 131 + } + }, + { + "item": "viz_4QSVuglC", + "type": "block", + "position": { + "x": 572, + "y": 0, + "w": 309, + "h": 131 + } + }, + { + "item": "viz_VI9ZdnSO", + "type": "block", + "position": { + "x": 881, + "y": 0, + "w": 319, + "h": 131 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-vulnerabilities-v1.0" +}