diff --git a/.env b/.env index 988071e5d9bca06c7cab9099c61d216038486bb2..6a2efd0732e3a9ca6ef2afbe9bca1b48fb8fef76 100644 --- a/.env +++ b/.env @@ -20,4 +20,5 @@ clouditor_oauth2_port=8080 clouditor_client_id=clouditor clouditor_client_secret=clouditor -wazuh_check_interval=300 \ No newline at end of file +wazuh_check_interval=3600 +wazuh_rule_level=10 \ No newline at end of file diff --git a/MANIFEST b/MANIFEST index cfffdeccddecd56ab65f231a90eee39933e933e2..792acf171542f4b3cc3f7d6b38e6f51a2eb2b553 100644 --- a/MANIFEST +++ b/MANIFEST @@ -1,2 +1,2 @@ -VERSION=v0.0.14 +VERSION=v0.0.15 SERVICE=evidence-collector diff --git a/README.md b/README.md index 64ca89423c72f9880ade97c564d695e47c713260..5e0a791edebb49d683ea5f1036b47ced1d1c3537 100644 --- a/README.md +++ b/README.md @@ -103,7 +103,8 @@ All of the following environment variables have to be set (or passed to containe | `clouditor_oauth2_port` | Clouditor port used for authentication services. Default value `8080`. | | `clouditor_client_id` | Clouditor OAuth2 default id. Default value `clouditor`. | | `clouditor_client_secret` | Clouditor OAuth2 default secret. Default value `clouditor`. | -| `wazuh_check_interval` | Interval in seconds; how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. | +| `wazuh_check_interval` | Interval in seconds (rounded to a minute/60 second intervals); how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. | +| `wazuh_rule_level` | Min. Wazuh rule severity level that is required for an event to be counted as a threat. | ### Medina resource ID mapping diff --git a/kubernetes/wazuh-vat-evidence-collector-configmap.yaml b/kubernetes/wazuh-vat-evidence-collector-configmap.yaml index 4814a24e472b524628ae6fa8a4298220092ffc7b..76b4c16853329f75bfc7dda710a9a2161ac0f186 100644 --- a/kubernetes/wazuh-vat-evidence-collector-configmap.yaml +++ b/kubernetes/wazuh-vat-evidence-collector-configmap.yaml @@ -22,4 +22,5 @@ data: clouditor_host: 'security-assessment-svc' clouditor_port: '9090' - wazuh_check_interval: '300' \ No newline at end of file + wazuh_check_interval: '3600' + wazuh_rule_level: '10' \ No newline at end of file diff --git a/wazuh_evidence_collector/checker.py b/wazuh_evidence_collector/checker.py index 6480d231bcd9a44a955c21a9e14af9aeba8cf070..13d4eef56372e113fb08c7be243a25d1de26772c 100644 --- a/wazuh_evidence_collector/checker.py +++ b/wazuh_evidence_collector/checker.py @@ -1,7 +1,11 @@ -from wazuh_evidence_collector.wazuh_client import WazuhClient import elasticsearch import urllib3 from elasticsearch_dsl import Search +import os +from forward_evidence.resource_id_mapper import map_resource_id + +WAZUH_CHECK_INTERVAL = os.environ.get("wazuh_check_interval") +WAZUH_RULE_LEVEL = int(os.environ.get("wazuh_rule_level")) class Checker: def __init__(self, wc, es, logger): @@ -106,3 +110,46 @@ class Checker: measurement_result = len(body['hits']['hits']) > 0 return body, measurement_result + + + def check_security_events(self, agent): + query = { + "query": { + "bool": { + "must": [ + { + "match": { + "agent.id": agent[0] + } + }, + { + "range" : { + "rule.level" : { + "gte" : WAZUH_RULE_LEVEL + } + } + }, + { + "range" : { + "@timestamp" : { + "gte" : "now-" + WAZUH_CHECK_INTERVAL + "s" + } + } + } + ] + } + } + } + + try: + body = self.es.search(index="wazuh-alerts-*", body=query) + except (elasticsearch.exceptions.ConnectionError, TimeoutError, urllib3.exceptions.NewConnectionError, + urllib3.exceptions.MaxRetryError) as err: + self.logger.error(err) + self.logger.error("Elasticsearch not available") + + return None + + self.logger.debug(map_resource_id(agent[1]) + " security events count: " + str(len(body['hits']['hits']))) + + return len(body['hits']['hits']) diff --git a/wazuh_evidence_collector/wazuh_evidence_collector.py b/wazuh_evidence_collector/wazuh_evidence_collector.py index 4278cb1e02ea483b60afa190262f263dcaedcd28..37564e015985d41358c30dfbac100fb838401ac6 100644 --- a/wazuh_evidence_collector/wazuh_evidence_collector.py +++ b/wazuh_evidence_collector/wazuh_evidence_collector.py @@ -1,4 +1,3 @@ -import json import os from wazuh_evidence_collector.wazuh_client import WazuhClient from elasticsearch import Elasticsearch @@ -115,6 +114,8 @@ def generate_evidence(agent, checker): evidence, result_clamd_logs = checker.check_clamd_logs_elastic(agent) raw_evidence.append(evidence) + security_events_count = checker.check_security_events(agent) + if result_syscheck and result_rootcheck and \ (result_virus_total or (result_clamd_process and result_clamd_logs)): malware_protection = { "malwareProtection": { "enabled": True }} @@ -122,7 +123,7 @@ def generate_evidence(agent, checker): malware_protection = { "malwareProtection": { "enabled": False }} # TODO: implement metrics - malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": None}) + malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": security_events_count}) # MalwareProtectionOutput evidence, result_alert_integration = checker.check_alert_integrations()