diff --git a/integrations/tools/events-generator/wazuh-alerts/alerts.json b/integrations/tools/events-generator/wazuh-alerts/alerts.json index 92726e79ba855..207ed5db04754 100644 --- a/integrations/tools/events-generator/wazuh-alerts/alerts.json +++ b/integrations/tools/events-generator/wazuh-alerts/alerts.json @@ -998,3 +998,136 @@ {"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} {"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} {"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container nginx_container restarted", "groups": ["docker"], "id": "87909", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "restart", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "5f91cd9a9f4c5b370b7314c29cc8a2a28c72a61f9659953fa75df643502b3693"}, "scope": "local", "timeNano": "1586460544801840896.000000", "from": "nginx", "time": "1586460544", "status": "restart"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container received the action: die", "groups": ["docker"], "id": "87928", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "die", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "exitCode": "0", "maintainer": "NGINX Docker Maintainers "}, "ID": "6d145b0c801fce46301fa96354d0ea29e4b1ea82fe7021799a01e2abe04a18c8"}, "scope": "local", "timeNano": "1587084648640092672.000000", "from": "nginx", "time": "1587084648", "status": "die"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container started", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "start", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "ebe3de16ea5b18aecc216f1cabbab887fd7aa7408dbd761719cd69b3089120fa"}, "scope": "local", "timeNano": "1587084600046795264.000000", "from": "nginx", "time": "1587084600", "status": "start"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Network bridge connected", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "connect", "Type": "network", "Actor": {"Attributes": {"container": "fcaa90b845d05ec7ae7a5097a8596b35edf6d368a00f93fe9872a6d5b1449bb9", "name": "bridge", "type": "bridge"}, "ID": "d69c82315c95fee242619571726ead25f9447065db44e814bd3e07ea00daebb2"}, "scope": "local", "timeNano": "1587084599776133888.000000", "time": "1587084599"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 4, "description": "Docker: Network bridge disconnected", "groups": ["docker"], "id": "87929", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "disconnect", "Type": "network", "Actor": {"Attributes": {"container": "555b9855a3d5f97bc5156e3d61bcd67ef236f2875cdfaf4e49659c085c69f942", "name": "bridge", "type": "bridge"}, "ID": "26fc9c96a6d0077c55b4ab068408df1be2c77789254262ae65d4f469b7f520fb"}, "scope": "local", "timeNano": "1586460544485358336.000000", "time": "1586460544"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 7, "description": "Docker: Container nginx_container received the action: kill", "groups": ["docker"], "id": "87924", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "kill", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "signal": "15", "maintainer": "NGINX Docker Maintainers "}, "ID": "a5f7bce90032373cf7f6a489ba8ba19744dafef91a5f9eac072e3f7265475ac2"}, "scope": "local", "timeNano": "1586460544324527616.000000", "from": "nginx", "time": "1586460544", "status": "kill"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 3, "description": "Docker: Container nginx_container stopped", "groups": ["docker"], "id": "87904", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "stop", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "1645a13ddb2f0ff8f5615b4535e57d4f08b6e444effc71b21962473edbffa758"}, "scope": "local", "timeNano": "1586461541373152000.000000", "from": "nginx", "time": "1586461541", "status": "stop"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 5, "pci_dss": ["10.2.7"], "description": "Docker: Started shell session in container nginx_container", "groups": ["docker"], "id": "87908", "nist_800_53": ["AU.14"], "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "exec_start: bash ", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers ", "execID": "69819869eefb3795e2015b603a2f85d6f5f556e5776428b5360fc9dfe5bfce47"}, "ID": "ff2d3b3018f1a5d97655666b7754c222a76034d536ef1de451a02fb524579c77"}, "timeNano": "1587404196804128000.000000", "from": "nginx", "time": "1587404196", "status": "exec_start: bash "}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh pulled", "id": "87932", "firedtimes": 1, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh:3.9.2_7.1.1", "Attributes": {"name": "wazuh/wazuh"}}, "scope": "local", "time": "1563354346", "timeNano": "1563354346181027328.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-elasticsearch pulled", "id": "87932", "firedtimes": 2, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-elasticsearch", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "elasticsearch", "schema-version": "1.0", "url": "https://www.elastic.co/products/elasticsearch", "vcs-url": "https://github.com/elastic/elasticsearch", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-kibana pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-kibana", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "kibana", "schema-version": "1.0", "url": "https://www.elastic.co/products/kibana", "vcs-url": "https://github.com/elastic/kibana", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-nginx pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Attributes": {"maintainer": "NGINX Docker Maintainers ", "name": "wazuh/wazuh-nginx"}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Network vagrant_default created", "id": "87930", "firedtimes": 1, "mail": false, "pci_dss": ["10.2.7"], "groups": ["docker"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Type": "network", "Action": "create", "Actor": {"ID": "80f3e2aad6cb19bcc14751551f4ea20037e41c07491a6cf4ccf093b978a8955c", "Attributes": {"name": "vagrant_default", "type": "bridge"}}, "scope": "local", "time": "1563354307", "timeNano": "1563354307459382528.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Australia", "location": {"lat": -33.8678513, "lon": 151.2073212}, "region_name": "Sydney", "city_name": "Sydney"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "France", "location": {"lat": 48.8534088, "lon": 2.3487999}, "region_name": "Paris", "city_name": "Paris"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 12}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": true, "level": 12, "description": "AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "groups": ["amazon", "aws", "aws_macie"], "id": "80355", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "CRITICAL", "actor": "resources.wazuh.sample.com", "summary": {"Timestamps": "2024-06-27T08:55:29.145Z", "Description": "S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "Bucket": "resources.wazuh.sample.com,", "Record Count": "1", "Event Count": "1", "recipientAccountId": "166157441400", "ACL": {"resources": {"wazuh": {"com": {"Owner": {"DisplayName": "wazuh", "ID": "3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}}, "risk-score": "9", "notification-type": "ALERT_CREATED", "name": "S3 Bucket IAM policy grants global read rights", "created-at": "2024-06-27T08:55:29.145Z", "source": "macie", "url": "https://mt.eu-west-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aeu-west-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded", "tags": {"value": "Open Permissions,Basic Alert,"}, "alert-arn": "arn:aws:macie:eu-west-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed", "region": "ap-southeast-1", "log_info": {"s3bucket": "aws-sample-bucket-9", "log_file": "macie/2024/06/30/08/firehose_macie-1-2024-06-30-08-55-29-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2024-06-30-08-55-29-145b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0050-ms-exchange_rules.xml", "relative_dirname": "ruleset/rules", "id": 3852, "level": 9, "status": "enabled", "details": {"frequency": "14", "timeframe": "120", "ignore": "240", "if_matched_sid": "3802", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "ms", "exchange"], "description": "ms-exchange: Multiple e-mail 500 error code (spam)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3306, "level": 6, "status": "enabled", "details": {"if_sid": "3301, 3302", "match": " blocked using "}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: IP Address black-listed by anti-spam (blocked)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0075-cisco-ios_rules.xml", "relative_dirname": "ruleset/rules", "id": 4722, "level": 3, "status": "enabled", "details": {"if_sid": "4715", "id": "^%SEC_LOGIN-5-LOGIN_SUCCESS"}, "pci_dss": ["10.2.5"], "gpg13": ["3.6"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "cisco_ios"], "description": "Cisco IOS: Successful login to the router."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0080-sonicwall_rules.xml", "relative_dirname": "ruleset/rules", "id": 4851, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "ignore": "60", "if_matched_sid": "4803"}, "pci_dss": ["10.6.1"], "gpg13": ["3.5"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "sonicwall"], "description": "SonicWall: Multiple firewall error messages."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4386, "level": 10, "status": "enabled", "details": {"frequency": "10", "timeframe": "240", "if_matched_sid": "4334", "same_source_ip": ""}, "pci_dss": ["11.4", "10.2.4", "10.2.5"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["SI.4", "AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access", "Initial Access"], "id": ["T1110", "T1133"], "technique": ["Brute Force", "External Remote Services"]}, "groups": ["authentication_failures", "syslog", "pix"], "description": "PIX: Multiple AAA (VPN) authentication failures."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3353, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3303", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0045-mailscanner_rules.xml", "relative_dirname": "ruleset/rules", "id": 3751, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "if_matched_sid": "3702", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access", "Collection"], "id": ["T1110", "T1114"], "technique": ["Brute Force", "Email Collection"]}, "groups": ["multiple_spam", "syslog", "mailscanner"], "description": "mailscanner: Multiple attempts of spam."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3151, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3102", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Sender domain has bogus MX record. It should not be sending e-mail."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3158, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3108", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple pre-greetings rejects."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5703, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "360", "if_matched_sid": "5702", "same_source_ip": ""}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["syslog", "sshd"], "description": "sshd: Possible breakin attempt (high number of reverse lookup errors)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4507, "level": 8, "status": "enabled", "details": {"if_sid": "4502", "id": "^00515"}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.8"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "netscreenfw"], "description": "Netscreen firewall: Successfull admin login"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5302, "level": 9, "status": "enabled", "details": {"if_sid": "5301", "user": "^root"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["authentication_failed", "syslog", "su"], "description": "User missed the password to change UID to root."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4550, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "180", "ignore": "60", "if_matched_sid": "4503", "same_source_ip": ""}, "pci_dss": ["1.4", "10.6.1", "11.4"], "gpg13": ["4.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["SC.7", "AU.6", "SI.4"], "tsc": ["CC6.7", "CC6.8", "CC7.2", "CC7.3", "CC6.1"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["netscreenfw"], "description": "Netscreen firewall: Multiple critical messages from same source IP."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "ignore": "60", "if_matched_sid": "4503"}, "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["netscreenfw"], "description": "Netscreen firewall: Multiple critical messages."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3602, "level": 3, "status": "enabled", "details": {"if_sid": "3600", "match": "Authenticated user="}, "pci_dss": ["10.2.5"], "gpg13": ["7.1"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "imapd"], "description": "Imapd user login."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2960, "level": 2, "status": "enabled", "details": {"decoded_as": "gpasswd", "match": "added by"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 550, "level": 7, "status": "enabled", "details": {"category": "wazuh", "decoded_as": "syscheck_integrity_changed"}, "pci_dss": ["11.5"], "gpg13": ["4.11"], "gdpr": ["II_5.1.f"], "hipaa": ["164.312.c.1", "164.312.c.2"], "nist_800_53": ["SI.7"], "tsc": ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1492"], "technique": ["Stored Data Manipulation"]}, "groups": ["syscheck", "wazuh"], "description": "Integrity checksum changed."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5403, "level": 4, "status": "enabled", "details": {"if_sid": "5400", "if_fts": ""}, "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "First time user executed sudo."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5402, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo to ROOT executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3105, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=553 5.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain is not found (553: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3153, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3104", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple relaying attempts of spam."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3108, "level": 6, "status": "enabled", "details": {"if_sid": "3100", "match": "rejecting commands from"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sendmail rejected due to pre-greeting."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0090-telnetd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5601, "level": 5, "status": "enabled", "details": {"if_sid": "5600", "match": "refused connect from "}, "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["syslog", "telnetd"], "description": "telnetd: Connection refused by TCP Wrappers."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3398, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "MAIL|does not resolve to address"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Illegal address from unknown sender"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3302, "level": 6, "status": "enabled", "details": {"if_sid": "3300", "id": "^550$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Rejected by access list (Requested action not taken)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5404, "level": 10, "status": "enabled", "details": {"if_sid": "5401", "match": "3 incorrect password attempts"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Three failed attempts to run sudo"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2502, "level": 10, "status": "enabled", "details": {"match": "more authentication failures;|REPEATED login failures"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failed", "syslog", "access_control"], "description": "syslog: User missed the password more than one time"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5103, "level": 9, "status": "enabled", "details": {"if_sid": "5100", "match": "Oversized packet received from"}, "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "linuxkernel"], "description": "Error message from the kernel. Ping of death attack."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3191, "level": 6, "status": "enabled", "details": {"if_sid": "3190", "match": "^sender check failed|^sender check tempfailed"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["smf-sav", "spam", "syslog", "sendmail"], "description": "sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5401, "level": 5, "status": "enabled", "details": {"if_sid": "5400", "match": "incorrect password attempt"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Failed attempt to run sudo."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3354, "level": 12, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3304", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple misuse of SMTP service (bad sequence of commands)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4342, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-502101|^5-502102"}, "pci_dss": ["8.1.2", "10.2.5"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.a.2.I", "164.312.a.2.II", "164.312.b"], "nist_800_53": ["AC.2", "IA.4", "AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion", "Initial Access"], "id": ["T1089", "T1133"], "technique": ["Disabling Security Tools", "External Remote Services"]}, "groups": ["adduser", "account_changed", "syslog", "pix"], "description": "PIX: User created or modified on the Firewall."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3102, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=451 4.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain does not have any valid MX record (Requested action aborted)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3154, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3105", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5501, "level": 3, "status": "enabled", "details": {"if_sid": "5500", "match": "session opened for user "}, "pci_dss": ["10.2.5"], "gpg13": ["7.8", "7.9"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "pam", "syslog"], "description": "PAM: Login session opened."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 504, "level": 3, "status": "enabled", "details": {"if_sid": "500", "match": "Agent disconnected"}, "pci_dss": ["10.6.1", "10.2.6"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "AU.14", "AU.5"], "tsc": ["CC7.2", "CC7.3", "CC6.8"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["wazuh"], "description": "Ossec agent disconnected."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3304, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^503$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3152, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3103", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3303, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^450$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Sender domain is not found (450: Requested mail action not taken)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4340, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-111005|^5-111004|^5-111002|^5-111007"}, "pci_dss": ["1.1.1", "10.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["CM.3", "CM.5", "AU.8"], "tsc": ["CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "syslog", "pix"], "description": "PIX: Firewall configuration changed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3396, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "verification"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: hostname verification failed"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4335, "level": 3, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-113004"}, "pci_dss": ["10.2.5"], "gpg13": ["7.1", "7.2"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "pix"], "description": "PIX: AAA (VPN) authentication successful."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2833, "level": 8, "status": "enabled", "details": {"if_sid": "2832", "match": "^(root)"}, "pci_dss": ["10.2.7", "10.6.1", "10.2.2"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "cron"], "description": "Root's crontab entry changed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3103, "level": 6, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=550 5.0.0 |reject=553 5.3.0"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Rejected by access list (55x: Requested action not taken)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2961, "level": 5, "status": "enabled", "details": {"if_sid": "2960", "group": "sudo"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group sudo."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3351, "level": 6, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "90", "if_matched_sid": "3301", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple relaying attempts of spam."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5304, "level": 3, "status": "enabled", "details": {"if_sid": "5300", "regex": ["session opened for user|succeeded for|", "^+|^S+ to |^SU S+ S+ + "]}, "pci_dss": ["10.2.5"], "gpg13": ["7.6", "7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "su"], "description": "User successfully changed UID."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 592, "level": 8, "status": "enabled", "details": {"if_sid": "500", "match": "^ossec: File size reduced"}, "pci_dss": ["10.5.2", "11.4"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.9", "SI.4"], "tsc": ["CC6.1", "CC7.2", "CC7.3", "CC6.8"], "mitre": {"tactic": ["Impact"], "id": ["T1492"], "technique": ["Stored Data Manipulation"]}, "groups": ["attacks", "wazuh"], "description": "Log file size reduced."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0050-ms-exchange_rules.xml", "relative_dirname": "ruleset/rules", "id": 3851, "level": 9, "status": "enabled", "details": {"frequency": "12", "timeframe": "120", "ignore": "120", "if_matched_sid": "3801", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "ms", "exchange"], "description": "ms-exchange: Multiple e-mail attempts to an invalid account."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5132, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "module verification failed"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Unsigned kernel module was loaded"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 553, "level": 7, "status": "enabled", "details": {"category": "wazuh", "decoded_as": "syscheck_deleted"}, "pci_dss": ["11.5"], "gpg13": ["4.11"], "gdpr": ["II_5.1.f"], "hipaa": ["164.312.c.1", "164.312.c.2"], "nist_800_53": ["SI.7"], "tsc": ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion", "Impact"], "id": ["T1107", "T1485"], "technique": ["File Deletion", "Data Destruction"]}, "groups": ["syscheck", "wazuh"], "description": "File deleted."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 505, "level": 3, "status": "enabled", "details": {"if_sid": "500", "match": "Agent removed"}, "pci_dss": ["10.6.1", "10.2.6"], "gpg13": ["10.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "AU.14", "AU.5"], "tsc": ["CC7.2", "CC7.3", "CC6.8"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["wazuh"], "description": "Ossec agent removed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0090-telnetd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5631, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "120", "if_matched_sid": "5602", "same_source_ip": ""}, "gdpr": ["IV_35.7.d", "IV_32.2"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["syslog", "telnetd"], "description": "telnetd: Multiple connection attempts from same source (possible scan)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4339, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-111003"}, "pci_dss": ["1.1.1", "10.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["CM.3", "CM.5", "AU.8"], "tsc": ["CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "syslog", "pix"], "description": "PIX: Firewall configuration deleted."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 518, "level": 9, "status": "enabled", "details": {"if_sid": "514", "match": "Adware|Spyware"}, "gpg13": ["4.2"], "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Lateral Movement"], "id": ["T1017"], "technique": ["Application Deployment Software"]}, "groups": ["rootcheck", "wazuh"], "description": "Windows Adware/Spyware application found."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 597, "level": 5, "status": "enabled", "details": {"category": "wazuh", "if_sid": "553", "hostname": "syscheck-registry"}, "pci_dss": ["11.5"], "gpg13": ["4.13"], "gdpr": ["II_5.1.f"], "hipaa": ["164.312.c.1", "164.312.c.2"], "nist_800_53": ["SI.7"], "tsc": ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion", "Impact"], "id": ["T1107", "T1485"], "technique": ["File Deletion", "Data Destruction"]}, "groups": ["syscheck", "wazuh"], "description": "Registry Entry Deleted."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5701, "level": 8, "status": "enabled", "details": {"if_sid": "5700", "match": "Bad protocol version identification"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1190"], "technique": ["Exploit Public-Facing Application"]}, "groups": ["recon", "syslog", "sshd"], "description": "sshd: Possible attack on the ssh server (or version gathering)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3651, "level": 10, "status": "enabled", "details": {"frequency": "$IMAPD_FREQ", "timeframe": "120", "if_matched_sid": "3601", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "imapd"], "description": "Imapd Multiple failed logins from same source ip."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5407, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3155, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3106", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3156, "level": 10, "status": "enabled", "details": {"frequency": "12", "timeframe": "120", "if_matched_sid": "3107", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple rejected e-mails from same source ip."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3911, "level": 10, "status": "enabled", "details": {"frequency": "17", "timeframe": "30", "if_matched_sid": "3901", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["recon", "syslog", "courier"], "description": "Courier: Multiple connection attempts from same source."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 1003, "level": 13, "status": "enabled", "details": {"maxsize": "1025", "noalert": "1"}, "gpg13": ["4.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "errors"], "description": "Non standard syslog message (size too large)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0080-sonicwall_rules.xml", "relative_dirname": "ruleset/rules", "id": 4810, "level": 3, "status": "enabled", "details": {"if_sid": "4806", "id": "^236$"}, "pci_dss": ["10.2.5"], "gpg13": ["3.6"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "sonicwall"], "description": "SonicWall: Firewall administrator login."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4509, "level": 8, "status": "enabled", "details": {"if_sid": "4504", "id": "^00767"}, "pci_dss": ["1.1.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1"], "nist_800_53": ["CM.3", "CM.5"], "tsc": ["CC8.1"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "netscreenfw"], "description": "Netscreen firewall: configuration changed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2503, "level": 5, "status": "enabled", "details": {"regex": ["^refused connect from|", "^libwrap refused connection|", "Connection from S+ denied"]}, "pci_dss": ["10.2.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["access_denied", "syslog", "access_control"], "description": "syslog: Connection blocked by Tcp Wrappers."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3352, "level": 6, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3302", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5706, "level": 6, "status": "enabled", "details": {"if_sid": "5700", "match": "Did not receive identification string from"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1043"], "technique": ["Commonly Used Port"]}, "groups": ["recon", "syslog", "sshd"], "description": "sshd: insecure connection attempt (scan)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5303, "level": 3, "status": "enabled", "details": {"if_sid": "5300", "regex": ["session opened for user root|^'su root'|", "^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$"]}, "pci_dss": ["10.2.5"], "gpg13": ["7.6", "7.8", "7.9"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "su"], "description": "User successfully changed UID to root."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4323, "level": 3, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-605005"}, "pci_dss": ["10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "pix"], "description": "PIX: Successful login."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2504, "level": 9, "status": "enabled", "details": {"match": "ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"}, "pci_dss": ["10.2.4", "10.2.5", "10.2.2"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["invalid_login", "syslog", "access_control"], "description": "syslog: Illegal root login."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5113, "level": 7, "status": "enabled", "details": {"if_sid": "5100", "match": "Kernel log daemon terminating"}, "pci_dss": ["10.6.1"], "gpg13": ["4.14"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1529"], "technique": ["System Shutdown/Reboot"]}, "groups": ["system_shutdown", "syslog", "linuxkernel"], "description": "System is shutting down."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2301, "level": 10, "status": "enabled", "details": {"match": "^Deactivating service "}, "pci_dss": ["10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "xinetd"], "description": "xinetd: Excessive number connections to a service."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3301, "level": 6, "status": "enabled", "details": {"if_sid": "3300", "id": "^554$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Attempt to use mail server as relay (client host rejected)."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5405, "level": 5, "status": "enabled", "details": {"if_sid": "5400", "match": "user NOT in sudoers"}, "pci_dss": ["10.2.2", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.6", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Unauthorized user attempted to use sudo."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4505, "level": 11, "status": "enabled", "details": {"if_sid": "4503", "id": "^00027"}, "pci_dss": ["1.4", "10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["SC.7", "AU.6"], "tsc": ["CC6.7", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1485"], "technique": ["Data Destruction"]}, "groups": ["service_availability", "netscreenfw"], "description": "Netscreen Erase sequence started."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5705, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "360", "if_matched_sid": "5704"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access", "Credential Access"], "id": ["T1190", "T1110"], "technique": ["Exploit Public-Facing Application", "Brute Force"]}, "groups": ["syslog", "sshd"], "description": "sshd: Possible scan or breakin attempt (high number of login timeouts)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3904, "level": 3, "status": "enabled", "details": {"if_sid": "3900", "match": "^LOGIN,"}, "pci_dss": ["10.2.5"], "gpg13": ["7.1", "7.2"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "courier"], "description": "Courier (imap/pop3) authentication success."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2964, "level": 10, "status": "enabled", "details": {"frequency": "4", "timeframe": "30", "if_matched_sid": "2963", "same_source_ip": ""}, "pci_dss": ["11.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["recon", "syslog", "perdition"], "description": "perdition: Multiple connection attempts from same source."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3330, "level": 10, "status": "enabled", "details": {"ignore": "240", "if_sid": "3320", "match": ["defer service failure|Resource temporarily unavailable|", "^fatal: the Postfix mail system is not running"]}, "pci_dss": ["10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "postfix"], "description": "Postfix process error."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3106, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=553 5.5.4 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender address does not have domain (553: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4337, "level": 8, "status": "enabled", "details": {"if_sid": "4312", "id": "^3-201008"}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1133"], "technique": ["External Remote Services"]}, "groups": ["service_availability", "syslog", "pix"], "description": "PIX: The PIX is disallowing new connections."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3104, "level": 6, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=550 5.7.1 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Attempt to use mail server as relay (550: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5108, "level": 12, "status": "enabled", "details": {"if_sid": "5100", "match": "Out of Memory: "}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "linuxkernel"], "description": "System running out of memory. Availability of the system is in risk."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4336, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-113006"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.1", "7.5"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1133"], "technique": ["External Remote Services"]}, "groups": ["authentication_failed", "syslog", "pix"], "description": "PIX: AAA (VPN) user locked out."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3355, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3305", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3397, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "RBL"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: RBL lookup error: Host or domain name not found"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3305, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^504$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 594, "level": 5, "status": "enabled", "details": {"category": "wazuh", "if_sid": "550", "hostname": "syscheck-registry"}, "pci_dss": ["11.5"], "gpg13": ["4.13"], "gdpr": ["II_5.1.f"], "hipaa": ["164.312.c.1", "164.312.c.2"], "nist_800_53": ["SI.7"], "tsc": ["PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1492"], "technique": ["Stored Data Manipulation"]}, "groups": ["syscheck", "wazuh"], "description": "Registry Integrity Checksum Changed"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3356, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "ignore": "30", "if_matched_sid": "3306", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5133, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "PKCS#7 signature not signed with a trusted key"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Signed but untrusted kernel module was loaded"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3357, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "ignore": "60", "if_matched_sid": "3332", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "postfix"], "description": "Postfix: Multiple SASL authentication failures."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2551, "level": 10, "status": "enabled", "details": {"if_sid": "2550", "regex": "^Connection from S+ on illegal port$"}, "pci_dss": ["10.6.1"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Discovery"], "id": ["T1046"], "technique": ["Network Service Scanning"]}, "groups": ["connection_attempt", "syslog", "access_control"], "description": "Connection to rshd from unprivileged port. Possible network scan."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3910, "level": 10, "status": "enabled", "details": {"frequency": "12", "timeframe": "30", "if_matched_sid": "3902", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "courier"], "description": "Courier brute force (multiple failed logins)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4325, "level": 8, "status": "enabled", "details": {"if_sid": "4313", "id": "^4-405001"}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["syslog", "pix"], "description": "PIX: ARP collision detected."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0015-ossec_rules.xml", "relative_dirname": "ruleset/rules", "id": 593, "level": 9, "status": "enabled", "details": {"if_sid": "500", "match": "^ossec: Event log cleared"}, "pci_dss": ["10.5.2"], "gpg13": ["10.1"], "gdpr": ["II_5.1.f", "IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.9"], "tsc": ["CC6.1", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1070"], "technique": ["Indicator Removal on Host"]}, "groups": ["logs_cleared", "wazuh"], "description": "Microsoft Event log cleared."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5104, "level": 8, "status": "enabled", "details": {"if_sid": "5100", "regex": ["Promiscuous mode enabled|", "device S+ entered promiscuous mode"]}, "pci_dss": ["10.6.1", "11.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Discovery"], "id": ["T1040"], "technique": ["Network Sniffing"]}, "groups": ["promisc", "syslog", "linuxkernel"], "description": "Interface entered in promiscuous(sniffing) mode."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "if_matched_sid": "5503", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "pam", "syslog"], "description": "PAM: Multiple failed logins in a small period of time."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3335, "level": 6, "status": "enabled", "details": {"if_sid": "3320", "match": "^too many "}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: too many errors after RCPT from unknown"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"}