Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] Wazuh events are not CIM compliant #940

Open
manuasir opened this issue Oct 7, 2020 · 1 comment
Open

[Feature request] Wazuh events are not CIM compliant #940

manuasir opened this issue Oct 7, 2020 · 1 comment
Assignees
@manuasir
Labels
type/enhancement Enhancement issue

Comments

@manuasir
Copy link
Contributor

manuasir commented Oct 7, 2020

Hello team,

Currently, the Wazuh alerts are treated as _json sourcetype, so data can be searched within the Search app and the Splunk app for Wazuh. However, the events cannot be populated from other add-ons. We should make the Wazuh Alerts compliant with common information model (CIM).

More info: https://docs.splunk.com/Documentation/CIM/4.17.0/User/UsetheCIMtonormalizedataatsearchtime

Regards
@manuasir manuasir added the type/enhancement Enhancement issue label Oct 7, 2020
@manuasir manuasir self-assigned this Oct 22, 2020
@manuasir
Copy link
Contributor Author

We finally managed to get Wazuh alerts compliant with the Splunk Common Information Model. The work done can be checked in this branch.

Proposal

The first approach was about creating a new Splunk TA that handles all the required transformations. As an example, check these Windows fields transforms out:

FIELDALIAS-wazuh_win_body = data.win.system.message as body
FIELDALIAS-wazuh_win_src = data.win.system.providerName as src
FIELDALIAS-wazuh_win_type = data.win.system.channel as type
FIELDALIAS-wazuh_win_dvc = data.win.system.computer as dvc
FIELDALIAS-wazuh_win_dvc_ip = agent.ip as dvc_ip

All these type , dvc , dvc_ip are normalized names so we can search for those in any CIM compliant add-on nor the Search native Splunk app. Additionally, CIM also requires some numerical values to be normalized. We created several CSV files for that. For example, to normalize alerts levels:

severity_id,severity
0,informational
1,informational
2,informational
3,informational
4,low
5,low
6,low
7,low
8,low
9,medium
10,medium
11,medium
12,high
13,high
14,high
15,critical

Those CSV are loaded as Splunk lookups, which are loaded as props

LOOKUP-severity_for_wazuh = wazuh_severities_lookup severity_id OUTPUT severity
LOOKUP-action_for_wazuh = wazuh_action_lookup signature_id AS wazuh_signature_id OUTPUT action,status,change_type,change_type AS wazuh_change_type

Finally, we checked the level of compliance by getting this CIM Validator app:
Despite we cannot be 100% compliant with all data models, we managed to get as much coverage as possible.
image

Finally, we had to handle the integration of this TA along with the current Splunk App for Wazuh, which wasn't so hard due to it only was required to append the new configurations to the existing ones.

@snaow snaow closed this as completed Jan 28, 2021
@snaow snaow reopened this Jan 28, 2021
This was referenced Jun 13, 2022
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@manuasir manuasir

Labels
type/enhancement Enhancement issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@snaow @manuasir