Wazuh threat count

60bd257e · Matevz Erzen · Zitnik, Anze · 46646188 · 60bd257e · 60bd257e
Commit 60bd257e authored 3 years ago by Matevz Erzen Committed by Zitnik, Anze 3 years ago
--- a/.env
+++ b/.env
@@ -20,4 +20,5 @@ clouditor_oauth2_port=8080
 clouditor_client_id=clouditor
 clouditor_client_secret=clouditor
-wazuh_check_interval=300
+wazuh_check_interval=3600
\ No newline at end of file
+wazuh_rule_level=10
\ No newline at end of file
--- a/MANIFEST
+++ b/MANIFEST
-VERSION=v0.0.14
+VERSION=v0.0.15
 SERVICE=evidence-collector
--- a/README.md
+++ b/README.md
@@ -103,7 +103,8 @@ All of the following environment variables have to be set (or passed to containe
 | `clouditor_oauth2_port` | Clouditor port used for authentication services. Default value `8080`. |
 | `clouditor_client_id` | Clouditor OAuth2 default id. Default value `clouditor`. |
 | `clouditor_client_secret` | Clouditor OAuth2 default secret. Default value `clouditor`. |
-| `wazuh_check_interval` | Interval in seconds; how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. |
+| `wazuh_check_interval` | Interval in seconds (rounded to a minute/60 second intervals); how often should evidence be created and forwarded. Should be the same as the check interval set on Wazuh manager. |
+| `wazuh_rule_level` | Min. Wazuh rule severity level that is required for an event to be counted as a threat. |
 ### Medina resource ID mapping

--- a/kubernetes/wazuh-vat-evidence-collector-configmap.yaml
+++ b/kubernetes/wazuh-vat-evidence-collector-configmap.yaml
@@ -22,4 +22,5 @@ data:
    clouditor_host: 'security-assessment-svc'
    clouditor_port: '9090'
-    wazuh_check_interval: '300'
+    wazuh_check_interval: '3600'
\ No newline at end of file
+    wazuh_rule_level: '10'
\ No newline at end of file
--- a/wazuh_evidence_collector/checker.py
+++ b/wazuh_evidence_collector/checker.py
-from wazuh_evidence_collector.wazuh_client import WazuhClient
 import elasticsearch
 import urllib3
 from elasticsearch_dsl import Search
+import os
+from forward_evidence.resource_id_mapper import map_resource_id
+WAZUH_CHECK_INTERVAL = os.environ.get("wazuh_check_interval")
+WAZUH_RULE_LEVEL = int(os.environ.get("wazuh_rule_level"))
 class Checker:
    def __init__(self, wc, es, logger):
@@ -106,3 +110,46 @@ class Checker:
        measurement_result = len(body['hits']['hits']) > 0
        return body, measurement_result
+    def check_security_events(self, agent):
+        query = {
+            "query": {
+                "bool": {
+                    "must": [
+                        {
+                            "match": {
+                                "agent.id": agent[0]
+                            }
+                        },
+                        {
+                            "range" : {
+                                "rule.level" : {
+                                    "gte" : WAZUH_RULE_LEVEL
+                                }
+                            }
+                        },
+                        {
+                            "range" : {
+                                "@timestamp" : { 
+                                    "gte" : "now-" + WAZUH_CHECK_INTERVAL + "s"
+                                }
+                            }
+                        }
+                    ]
+                }
+            }
+        }
+        try:
+            body = self.es.search(index="wazuh-alerts-*", body=query)
+        except (elasticsearch.exceptions.ConnectionError, TimeoutError, urllib3.exceptions.NewConnectionError, 
+        		urllib3.exceptions.MaxRetryError) as err:
+            self.logger.error(err)
+            self.logger.error("Elasticsearch not available")
+            return None
+        self.logger.debug(map_resource_id(agent[1]) + " security events count: "  + str(len(body['hits']['hits'])))
+        return len(body['hits']['hits'])
--- a/wazuh_evidence_collector/wazuh_evidence_collector.py
+++ b/wazuh_evidence_collector/wazuh_evidence_collector.py
-import json
 import os
 from wazuh_evidence_collector.wazuh_client import WazuhClient
 from elasticsearch import Elasticsearch
@@ -115,6 +114,8 @@ def generate_evidence(agent, checker):
    evidence, result_clamd_logs = checker.check_clamd_logs_elastic(agent)
    raw_evidence.append(evidence)
+    security_events_count = checker.check_security_events(agent)
    if result_syscheck and result_rootcheck and \
        (result_virus_total or (result_clamd_process and result_clamd_logs)):
        malware_protection = { "malwareProtection": { "enabled": True }}
@@ -122,7 +123,7 @@ def generate_evidence(agent, checker):
        malware_protection = { "malwareProtection": { "enabled": False }}
    # TODO: implement metrics
-    malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": None})
+    malware_protection["malwareProtection"].update({ "daysSinceActive": None, "numberOfThreatsFound": security_events_count})
    # MalwareProtectionOutput
    evidence, result_alert_integration = checker.check_alert_integrations()