From 60bd257e603974b14dd1e266d6988263612ba9ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matev=C5=BE=20Er=C5=BEen?= <matevz.erzen@xlab.si> Date: Tue, 5 Apr 2022 11:05:05 +0000 Subject: [PATCH] Wazuh threat count --- .env | 3 +- MANIFEST | 2 +- README.md | 3 +- ...azuh-vat-evidence-collector-configmap.yaml | 3 +- wazuh_evidence_collector/checker.py | 49 ++++++++++++++++++- .../wazuh_evidence_collector.py | 5 +- 6 files changed, 58 insertions(+), 7 deletions(-) diff --git a/.env b/.env index 988071e..6a2efd0 100644 --- a/.env +++ b/.env @@ -20,4 +20,5 @@ clouditor_oauth2_port=8080 clouditor_client_id=clouditor clouditor_client_secret=clouditor -wazuh_check_interval=300 \ No newline at end of file +wazuh_check_interval=3600 +wazuh_rule_level=10 \ No newline at end of file diff --git a/MANIFEST b/MANIFEST index cfffdec..792acf1 100644 --- a/MANIFEST +++ b/MANIFEST @@ -1,2 +1,2 @@ -VERSION=v0.0.14 +VERSION=v0.0.15 SERVICE=evidence-collector diff --git a/README.md b/README.md index 64ca894..5e0a791 100644 --- a/README.md +++ b/README.md @@ -103,7 +103,8 @@ All of the following environment variables have to be set (or passed to containe | `clouditor_oauth2_port` | Clouditor port used for authentication services. Default value `8080`. | | `clouditor_client_id` | Clouditor OAuth2 default id. Default value `clouditor`. | | `clouditor_client_secret` | Clouditor OAuth2 default secret. Default value `clouditor`. | -| `wazuh_check_interval` | Interval in seconds; how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. | +| `wazuh_check_interval` | Interval in seconds (rounded to a minute/60 second intervals); how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. | +| `wazuh_rule_level` | Min. Wazuh rule severity level that is required for an event to be counted as a threat. | ### Medina resource ID mapping diff --git a/kubernetes/wazuh-vat-evidence-collector-configmap.yaml b/kubernetes/wazuh-vat-evidence-collector-configmap.yaml index 4814a24..76b4c16 100644 --- a/kubernetes/wazuh-vat-evidence-collector-configmap.yaml +++ b/kubernetes/wazuh-vat-evidence-collector-configmap.yaml @@ -22,4 +22,5 @@ data: clouditor_host: 'security-assessment-svc' clouditor_port: '9090' - wazuh_check_interval: '300' \ No newline at end of file + wazuh_check_interval: '3600' + wazuh_rule_level: '10' \ No newline at end of file diff --git a/wazuh_evidence_collector/checker.py b/wazuh_evidence_collector/checker.py index 6480d23..13d4eef 100644 --- a/wazuh_evidence_collector/checker.py +++ b/wazuh_evidence_collector/checker.py @@ -1,7 +1,11 @@ -from wazuh_evidence_collector.wazuh_client import WazuhClient import elasticsearch import urllib3 from elasticsearch_dsl import Search +import os +from forward_evidence.resource_id_mapper import map_resource_id + +WAZUH_CHECK_INTERVAL = os.environ.get("wazuh_check_interval") +WAZUH_RULE_LEVEL = int(os.environ.get("wazuh_rule_level")) class Checker: def __init__(self, wc, es, logger): @@ -106,3 +110,46 @@ class Checker: measurement_result = len(body['hits']['hits']) > 0 return body, measurement_result + + + def check_security_events(self, agent): + query = { + "query": { + "bool": { + "must": [ + { + "match": { + "agent.id": agent[0] + } + }, + { + "range" : { + "rule.level" : { + "gte" : WAZUH_RULE_LEVEL + } + } + }, + { + "range" : { + "@timestamp" : { + "gte" : "now-" + WAZUH_CHECK_INTERVAL + "s" + } + } + } + ] + } + } + } + + try: + body = self.es.search(index="wazuh-alerts-*", body=query) + except (elasticsearch.exceptions.ConnectionError, TimeoutError, urllib3.exceptions.NewConnectionError, + urllib3.exceptions.MaxRetryError) as err: + self.logger.error(err) + self.logger.error("Elasticsearch not available") + + return None + + self.logger.debug(map_resource_id(agent[1]) + " security events count: " + str(len(body['hits']['hits']))) + + return len(body['hits']['hits']) diff --git a/wazuh_evidence_collector/wazuh_evidence_collector.py b/wazuh_evidence_collector/wazuh_evidence_collector.py index 4278cb1..37564e0 100644 --- a/wazuh_evidence_collector/wazuh_evidence_collector.py +++ b/wazuh_evidence_collector/wazuh_evidence_collector.py @@ -1,4 +1,3 @@ -import json import os from wazuh_evidence_collector.wazuh_client import WazuhClient from elasticsearch import Elasticsearch @@ -115,6 +114,8 @@ def generate_evidence(agent, checker): evidence, result_clamd_logs = checker.check_clamd_logs_elastic(agent) raw_evidence.append(evidence) + security_events_count = checker.check_security_events(agent) + if result_syscheck and result_rootcheck and \ (result_virus_total or (result_clamd_process and result_clamd_logs)): malware_protection = { "malwareProtection": { "enabled": True }} @@ -122,7 +123,7 @@ def generate_evidence(agent, checker): malware_protection = { "malwareProtection": { "enabled": False }} # TODO: implement metrics - malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": None}) + malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": security_events_count}) # MalwareProtectionOutput evidence, result_alert_integration = checker.check_alert_integrations() -- GitLab