From 60bd257e603974b14dd1e266d6988263612ba9ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matev=C5=BE=20Er=C5=BEen?= <matevz.erzen@xlab.si>
Date: Tue, 5 Apr 2022 11:05:05 +0000
Subject: [PATCH] Wazuh threat count
---
.env | 3 +-
MANIFEST | 2 +-
README.md | 3 +-
...azuh-vat-evidence-collector-configmap.yaml | 3 +-
wazuh_evidence_collector/checker.py | 49 ++++++++++++++++++-
.../wazuh_evidence_collector.py | 5 +-
6 files changed, 58 insertions(+), 7 deletions(-)
diff --git a/.env b/.env
index 988071e..6a2efd0 100644
--- a/.env
+++ b/.env
@@ -20,4 +20,5 @@ clouditor_oauth2_port=8080
clouditor_client_id=clouditor
clouditor_client_secret=clouditor
-wazuh_check_interval=300
\ No newline at end of file
+wazuh_check_interval=3600
+wazuh_rule_level=10
\ No newline at end of file
diff --git a/MANIFEST b/MANIFEST
index cfffdec..792acf1 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1,2 +1,2 @@
-VERSION=v0.0.14
+VERSION=v0.0.15
SERVICE=evidence-collector
diff --git a/README.md b/README.md
index 64ca894..5e0a791 100644
--- a/README.md
+++ b/README.md
@@ -103,7 +103,8 @@ All of the following environment variables have to be set (or passed to containe
| `clouditor_oauth2_port` | Clouditor port used for authentication services. Default value `8080`. |
| `clouditor_client_id` | Clouditor OAuth2 default id. Default value `clouditor`. |
| `clouditor_client_secret` | Clouditor OAuth2 default secret. Default value `clouditor`. |
-| `wazuh_check_interval` | Interval in seconds; how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. |
+| `wazuh_check_interval` | Interval in seconds (rounded to a minute/60 second intervals); how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. |
+| `wazuh_rule_level` | Min. Wazuh rule severity level that is required for an event to be counted as a threat. |
### Medina resource ID mapping
diff --git a/kubernetes/wazuh-vat-evidence-collector-configmap.yaml b/kubernetes/wazuh-vat-evidence-collector-configmap.yaml
index 4814a24..76b4c16 100644
--- a/kubernetes/wazuh-vat-evidence-collector-configmap.yaml
+++ b/kubernetes/wazuh-vat-evidence-collector-configmap.yaml
@@ -22,4 +22,5 @@ data:
clouditor_host: 'security-assessment-svc'
clouditor_port: '9090'
- wazuh_check_interval: '300'
\ No newline at end of file
+ wazuh_check_interval: '3600'
+ wazuh_rule_level: '10'
\ No newline at end of file
diff --git a/wazuh_evidence_collector/checker.py b/wazuh_evidence_collector/checker.py
index 6480d23..13d4eef 100644
--- a/wazuh_evidence_collector/checker.py
+++ b/wazuh_evidence_collector/checker.py
@@ -1,7 +1,11 @@
-from wazuh_evidence_collector.wazuh_client import WazuhClient
import elasticsearch
import urllib3
from elasticsearch_dsl import Search
+import os
+from forward_evidence.resource_id_mapper import map_resource_id
+
+WAZUH_CHECK_INTERVAL = os.environ.get("wazuh_check_interval")
+WAZUH_RULE_LEVEL = int(os.environ.get("wazuh_rule_level"))
class Checker:
def __init__(self, wc, es, logger):
@@ -106,3 +110,46 @@ class Checker:
measurement_result = len(body['hits']['hits']) > 0
return body, measurement_result
+
+
+ def check_security_events(self, agent):
+ query = {
+ "query": {
+ "bool": {
+ "must": [
+ {
+ "match": {
+ "agent.id": agent[0]
+ }
+ },
+ {
+ "range" : {
+ "rule.level" : {
+ "gte" : WAZUH_RULE_LEVEL
+ }
+ }
+ },
+ {
+ "range" : {
+ "@timestamp" : {
+ "gte" : "now-" + WAZUH_CHECK_INTERVAL + "s"
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+
+ try:
+ body = self.es.search(index="wazuh-alerts-*", body=query)
+ except (elasticsearch.exceptions.ConnectionError, TimeoutError, urllib3.exceptions.NewConnectionError,
+ urllib3.exceptions.MaxRetryError) as err:
+ self.logger.error(err)
+ self.logger.error("Elasticsearch not available")
+
+ return None
+
+ self.logger.debug(map_resource_id(agent[1]) + " security events count: " + str(len(body['hits']['hits'])))
+
+ return len(body['hits']['hits'])
diff --git a/wazuh_evidence_collector/wazuh_evidence_collector.py b/wazuh_evidence_collector/wazuh_evidence_collector.py
index 4278cb1..37564e0 100644
--- a/wazuh_evidence_collector/wazuh_evidence_collector.py
+++ b/wazuh_evidence_collector/wazuh_evidence_collector.py
@@ -1,4 +1,3 @@
-import json
import os
from wazuh_evidence_collector.wazuh_client import WazuhClient
from elasticsearch import Elasticsearch
@@ -115,6 +114,8 @@ def generate_evidence(agent, checker):
evidence, result_clamd_logs = checker.check_clamd_logs_elastic(agent)
raw_evidence.append(evidence)
+ security_events_count = checker.check_security_events(agent)
+
if result_syscheck and result_rootcheck and \
(result_virus_total or (result_clamd_process and result_clamd_logs)):
malware_protection = { "malwareProtection": { "enabled": True }}
@@ -122,7 +123,7 @@ def generate_evidence(agent, checker):
malware_protection = { "malwareProtection": { "enabled": False }}
# TODO: implement metrics
- malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": None})
+ malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": security_events_count})
# MalwareProtectionOutput
evidence, result_alert_integration = checker.check_alert_integrations()
--
GitLab