Feature - CIM compliance

SplunkAppForWazuh/default/eventtypes.conf

@@ -0,0 +1,11 @@
+[wazuh_alert]
+search = index=wazuh
+#tags = alert
+
+[wazuh_file_integrity_monitoring]
+search = index=wazuh wazuh_change_type=filesystem
+#tags = endpoint change
+
+[wazuh_authentication]
+search = index=wazuh wazuh_change_type=authentication
+#tags = authentication default

SplunkAppForWazuh/default/limits.conf

@@ -0,0 +1 @@
+indexed_kv_limit = 1000

SplunkAppForWazuh/default/props.conf

@@ -1,4 +1,52 @@
 [wazuh]
 INDEXED_EXTRACTIONS = JSON
-KV_MODE = none
-AUTO_KV_JSON = false
+KV_MODE = json
+SHOULD_LINEMERGE = false
+
+
+## Common fields
+FIELDALIAS-severity_id = rule.level as severity_id
+FIELDALIAS-rule_id = rule.id as id
+
+#FIELDALIAS-severity_id_for_suricata = data.alert.severity as severity_id
+FIELDALIAS-signature_id = rule.id as signature_id
+FIELDALIAS-dest_port_wazuh = data.dest_port as dest_port
+FIELDALIAS-wazuh_dest = agent.ip as dest
+FIELDALIAS-wazuh_dest_ip = agent.ip as dest_ip
+FIELDALIAS-wazuh_md5_new_for = syscheck.sha1_after as file_hash
+FIELDALIAS-wazuh_body_for = rule.full_log as body
+FIELDALIAS-wazuh_signature_for = rule.description as signature
+FIELDALIAS-wazuh_subject_for = rule.description as subject
+FIELDALIAS-wazuh_url = rule.info
+
+# Windows
+FIELDALIAS-wazuh_win_body = data.win.system.message as body
+FIELDALIAS-wazuh_win_src = data.win.system.providerName as src
+FIELDALIAS-wazuh_win_type = data.win.system.channel as type
+FIELDALIAS-wazuh_win_dvc = data.win.system.computer as dvc
+FIELDALIAS-wazuh_win_dvc_ip = agent.ip as dvc_ip
+FIELDALIAS-wazuh_win_dest = agent.ip as dest
+FIELDALIAS-wazuh_win_src_ip = data.win.eventdata.ipAddress as src_ip
+FIELDALIAS-wazuh_win_src = data.win.eventdata.ipAddress as src
+FIELDALIAS-wazuh_win_nt_app = rule.groups{} as app
+FIELDALIAS-wazuh_win_user_for = data.win.eventdata.targetUserName as user
+FIELDALIAS-wazuh_win_user_id = data.win.eventdata.targetUserName as user_id
+FIELDALIAS-wazuh_win_src_user_id = data.win.eventdata.targetUserName as src_user_id
+
+FIELDALIAS-wazuh_win_description = rule.description as description
+
+
+## Change and Alert CIM Mapping
+EVAL-object = COALESCE(file_name,host_name,orig_source)
+EVAL-user = IF(isnotnull(target_user), target_user, user)
+EVAL-src_user = IF(isnull(src_user), user, src_user)
+EVAL-vendor = "Wazuh: The Open Source Security Platform"
+EVAL-product = "HIDS"
+EVAL-vendor_product = "wazuh"
+#EVAL-app = "wazuh"
+EVAL-ids_type = "host"
+
+## Lookup
+LOOKUP-severity_for_wazuh = wazuh_severities_lookup severity_id OUTPUT severity
+LOOKUP-action_for_wazuh = wazuh_action_lookup signature_id AS wazuh_signature_id OUTPUT action,status,change_type,change_type AS wazuh_change_type
+#LOOKUP-object_category_for_wazuh = wazuh_object_category_lookup signature_id OUTPUT object_category

SplunkAppForWazuh/default/tags.conf

@@ -0,0 +1,10 @@
+[eventtype=wazuh_alert]
+alert = enabled
+
+[eventtype=wazuh_file_integrity_monitoring]
+endpoint = enabled
+change = enabled
+
+[eventtype=wazuh_authentication]
+authentication = enabled
+default = enabled

SplunkAppForWazuh/default/transforms.conf

@@ -10,4 +10,14 @@ fields_list = _key, id, url, port, user, password, filter
 [jobs_lookup]
 external_type = kvstore
 collection = jobs
-fields_list = _key, job, added, exec_time
+fields_list = _key, job, added, exec_time
+
+###### Lookups ######
+[wazuh_severities_lookup]
+filename = wazuh_severities_lookup.csv
+
+[wazuh_action_lookup]
+filename = wazuh_action_lookup.csv
+
+[wazuh_object_category_lookup]
+filename = wazuh_object_category_lookup.csv

SplunkAppForWazuh/lookups/wazuh_action_lookup.csv

@@ -0,0 +1,25 @@
+signature_id,action,status,change_type
+550,modified,success,filesystem
+551,modified,success,filesystem
+552,modified,success,filesystem
+553,deleted,success,filesystem
+554,created,success,filesystem
+555,modified,success,filesystem
+580,modified,success,filesystem
+581,created,success,filesystem
+591,modified,success,filesystem
+592,modified,success,filesystem
+593,deleted,success,filesystem
+594,modified,success,filesystem
+595,modified,success,filesystem
+596,modified,success,filesystem
+597,deleted,success,filesystem
+598,created,success,filesystem
+5303,success,,authentication
+5304,success,,authentication
+5402,success,,authentication
+5503,failure,,authentication
+5715,success,,authentication
+5716,failure,,authentication
+18107,success,,authentication
+18149,success,,authentication

SplunkAppForWazuh/lookups/wazuh_object_category_lookup.csv

@@ -0,0 +1,17 @@
+signature_id,object_category
+550,file
+551,file
+552,file
+553,file
+554,file
+555,host_info
+580,host_info
+581,host_info
+591,file
+592,file
+593,win_event_log
+594,registry
+595,registry
+596,registry
+597,registry
+598,registry

SplunkAppForWazuh/lookups/wazuh_severities_lookup.csv

@@ -0,0 +1,17 @@
+severity_id,severity
+0,informational
+1,informational
+2,informational
+3,informational
+4,low
+5,low
+6,low
+7,low
+8,low
+9,medium
+10,medium
+11,medium
+12,high
+13,high
+14,high
+15,critical

TA_Wazuh_CIM_addon/README.md

@@ -0,0 +1,14 @@
+# TA Wazuh CIM compliance
+
+[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/)
+[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
+[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
+[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
+
+This Add-on supports CIM compliance for Wazuh alerts.
+
+## References
+
+- [Wazuh website](https://wazuh.com)
+- [Wazuh documentation](https://documentation.wazuh.com)
+- [Splunk documentation](http://docs.splunk.com/Documentation)

TA_Wazuh_CIM_addon/default/app.conf

@@ -0,0 +1,25 @@
+######################################################
+#
+# Splunk_TA_wazuh
+#
+# Copyright Wazuh,Inc. (C) 2020 All Rights Reserved.
+#
+######################################################
+
+[install]
+is_configured = false
+state = enabled
+build = 10
+
+[launcher]
+author=Splunk
+version=4.0.1
+description = Splunk Add-on for Wazuh CIM compliance
+
+[ui]
+is_visible = false
+label = Splunk Add-on for Wazuh CIM compliance
+docs_section_override = AddOns:released
+
+[package]
+id = Splunk_TA_wazuh

TA_Wazuh_CIM_addon/default/eventtypes.conf

@@ -0,0 +1,11 @@
+[wazuh_alert]
+search = index=wazuh
+#tags = alert
+
+[wazuh_file_integrity_monitoring]
+search = index=wazuh wazuh_change_type=filesystem
+#tags = endpoint change
+
+[wazuh_authentication]
+search = index=wazuh wazuh_change_type=authentication
+#tags = authentication default

TA_Wazuh_CIM_addon/default/limits.conf

@@ -0,0 +1 @@
+indexed_kv_limit = 1000

TA_Wazuh_CIM_addon/default/props.conf

@@ -0,0 +1,51 @@
+## Fields extraction
+[wazuh]
+SHOULD_LINEMERGE = false
+KV_MODE = json
+
+## Common fields
+FIELDALIAS-severity_id = rule.level as severity_id
+FIELDALIAS-rule_id = rule.id as id
+
+#FIELDALIAS-severity_id_for_suricata = data.alert.severity as severity_id
+FIELDALIAS-signature_id = rule.id as signature_id
+FIELDALIAS-dest_port_wazuh = data.dest_port as dest_port
+FIELDALIAS-wazuh_dest = agent.ip as dest
+FIELDALIAS-wazuh_dest_ip = agent.ip as dest_ip
+FIELDALIAS-wazuh_md5_new_for = syscheck.sha1_after as file_hash
+FIELDALIAS-wazuh_body_for = rule.full_log as body
+FIELDALIAS-wazuh_signature_for = rule.description as signature
+FIELDALIAS-wazuh_subject_for = rule.description as subject
+FIELDALIAS-wazuh_url = rule.info
+
+# Windows
+FIELDALIAS-wazuh_win_body = data.win.system.message as body
+FIELDALIAS-wazuh_win_src = data.win.system.providerName as src
+FIELDALIAS-wazuh_win_type = data.win.system.channel as type
+FIELDALIAS-wazuh_win_dvc = data.win.system.computer as dvc
+FIELDALIAS-wazuh_win_dvc_ip = agent.ip as dvc_ip
+FIELDALIAS-wazuh_win_dest = agent.ip as dest
+FIELDALIAS-wazuh_win_src_ip = data.win.eventdata.ipAddress as src_ip
+FIELDALIAS-wazuh_win_src = data.win.eventdata.ipAddress as src
+FIELDALIAS-wazuh_win_nt_app = rule.groups{} as app
+FIELDALIAS-wazuh_win_user_for = data.win.eventdata.targetUserName as user
+FIELDALIAS-wazuh_win_user_id = data.win.eventdata.targetUserName as user_id
+FIELDALIAS-wazuh_win_src_user_id = data.win.eventdata.targetUserName as src_user_id
+
+FIELDALIAS-wazuh_win_description = rule.description as description
+
+
+## Change and Alert CIM Mapping
+EVAL-object = COALESCE(file_name,host_name,orig_source)
+EVAL-user = IF(isnotnull(target_user), target_user, user)
+EVAL-src_user = IF(isnull(src_user), user, src_user)
+EVAL-vendor = "Wazuh: The Open Source Security Platform"
+EVAL-product = "HIDS"
+EVAL-vendor_product = "wazuh"
+#EVAL-app = "wazuh"
+EVAL-ids_type = "host"
+
+## Lookup
+LOOKUP-severity_for_wazuh = wazuh_severities_lookup severity_id OUTPUT severity
+LOOKUP-action_for_wazuh = wazuh_action_lookup signature_id AS wazuh_signature_id OUTPUT action,status,change_type,change_type AS wazuh_change_type
+#LOOKUP-object_category_for_wazuh = wazuh_object_category_lookup signature_id OUTPUT object_category

TA_Wazuh_CIM_addon/default/tags.conf

@@ -0,0 +1,10 @@
+[eventtype=wazuh_alert]
+alert = enabled
+
+[eventtype=wazuh_file_integrity_monitoring]
+endpoint = enabled
+change = enabled
+
+[eventtype=wazuh_authentication]
+authentication = enabled
+default = enabled

TA_Wazuh_CIM_addon/default/transforms.conf

@@ -0,0 +1,9 @@
+###### Lookups ######
+[wazuh_severities_lookup]
+filename = wazuh_severities_lookup.csv
+
+[wazuh_action_lookup]
+filename = wazuh_action_lookup.csv
+
+[wazuh_object_category_lookup]
+filename = wazuh_object_category_lookup.csv

TA_Wazuh_CIM_addon/lookups/wazuh_action_lookup.csv

@@ -0,0 +1,25 @@
+signature_id,action,status,change_type
+550,modified,success,filesystem
+551,modified,success,filesystem
+552,modified,success,filesystem
+553,deleted,success,filesystem
+554,created,success,filesystem
+555,modified,success,filesystem
+580,modified,success,filesystem
+581,created,success,filesystem
+591,modified,success,filesystem
+592,modified,success,filesystem
+593,deleted,success,filesystem
+594,modified,success,filesystem
+595,modified,success,filesystem
+596,modified,success,filesystem
+597,deleted,success,filesystem
+598,created,success,filesystem
+5303,success,,authentication
+5304,success,,authentication
+5402,success,,authentication
+5503,failure,,authentication
+5715,success,,authentication
+5716,failure,,authentication
+18107,success,,authentication
+18149,success,,authentication

TA_Wazuh_CIM_addon/lookups/wazuh_object_category_lookup.csv

@@ -0,0 +1,17 @@
+signature_id,object_category
+550,file
+551,file
+552,file
+553,file
+554,file
+555,host_info
+580,host_info
+581,host_info
+591,file
+592,file
+593,win_event_log
+594,registry
+595,registry
+596,registry
+597,registry
+598,registry

TA_Wazuh_CIM_addon/lookups/wazuh_severities_lookup.csv

@@ -0,0 +1,17 @@
+severity_id,severity
+0,informational
+1,informational
+2,informational
+3,informational
+4,low
+5,low
+6,low
+7,low
+8,low
+9,medium
+10,medium
+11,medium
+12,high
+13,high
+14,high
+15,critical

TA_Wazuh_CIM_addon/metadata/default.meta

@@ -0,0 +1,6 @@
+
+# Application-level permissions
+
+[]
+access = read : [ * ], write : [ admin]
+export = system