From 9eeb9af807898d413d32629e644ca696f418ad25 Mon Sep 17 00:00:00 2001 From: manuasir Date: Tue, 10 Nov 2020 02:41:03 +0100 Subject: [PATCH 1/4] First approach --- TA_Wazuh_CIM_addon/README.md | 14 +++ TA_Wazuh_CIM_addon/default/app.conf | 25 +++++ TA_Wazuh_CIM_addon/default/eventtypes.conf | 11 +++ TA_Wazuh_CIM_addon/default/limits.conf | 1 + TA_Wazuh_CIM_addon/default/props.conf | 45 +++++++++ TA_Wazuh_CIM_addon/default/tags.conf | 10 ++ TA_Wazuh_CIM_addon/default/transforms.conf | 89 ++++++++++++++++++ .../lookups/wazuh_action_lookup.csv | 25 +++++ .../lookups/wazuh_object_category_lookup.csv | 17 ++++ .../lookups/wazuh_severities_lookup.csv | 17 ++++ TA_Wazuh_CIM_addon/metadata/default.meta | 6 ++ TA_Wazuh_CIM_addon/static/static/appIcon.png | Bin 0 -> 2143 bytes .../static/static/appIconAlt.png | Bin 0 -> 727 bytes .../static/static/appIconAlt_2x.png | Bin 0 -> 4829 bytes .../static/static/appIcon_2x.png | Bin 0 -> 2143 bytes TA_Wazuh_CIM_addon/static/static/appLogo.png | Bin 0 -> 3295 bytes .../static/static/appLogo_2x.png | Bin 0 -> 8427 bytes 17 files changed, 260 insertions(+) create mode 100644 TA_Wazuh_CIM_addon/README.md create mode 100644 TA_Wazuh_CIM_addon/default/app.conf create mode 100644 TA_Wazuh_CIM_addon/default/eventtypes.conf create mode 100644 TA_Wazuh_CIM_addon/default/limits.conf create mode 100644 TA_Wazuh_CIM_addon/default/props.conf create mode 100644 TA_Wazuh_CIM_addon/default/tags.conf create mode 100644 TA_Wazuh_CIM_addon/default/transforms.conf create mode 100644 TA_Wazuh_CIM_addon/lookups/wazuh_action_lookup.csv create mode 100644 TA_Wazuh_CIM_addon/lookups/wazuh_object_category_lookup.csv create mode 100644 TA_Wazuh_CIM_addon/lookups/wazuh_severities_lookup.csv create mode 100644 TA_Wazuh_CIM_addon/metadata/default.meta create mode 100644 TA_Wazuh_CIM_addon/static/static/appIcon.png create mode 100644 TA_Wazuh_CIM_addon/static/static/appIconAlt.png create mode 100644 TA_Wazuh_CIM_addon/static/static/appIconAlt_2x.png create mode 100644 TA_Wazuh_CIM_addon/static/static/appIcon_2x.png create mode 100644 TA_Wazuh_CIM_addon/static/static/appLogo.png create mode 100644 TA_Wazuh_CIM_addon/static/static/appLogo_2x.png diff --git a/TA_Wazuh_CIM_addon/README.md b/TA_Wazuh_CIM_addon/README.md new file mode 100644 index 000000000..2863b47c8 --- /dev/null +++ b/TA_Wazuh_CIM_addon/README.md @@ -0,0 +1,14 @@ +# TA Wazuh CIM compliance + +[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/) +[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh) +[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com) +[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com) + +This Add-on supports CIM compliance for Wazuh alerts. + +## References + +- [Wazuh website](https://wazuh.com) +- [Wazuh documentation](https://documentation.wazuh.com) +- [Splunk documentation](http://docs.splunk.com/Documentation) diff --git a/TA_Wazuh_CIM_addon/default/app.conf b/TA_Wazuh_CIM_addon/default/app.conf new file mode 100644 index 000000000..7dcec709f --- /dev/null +++ b/TA_Wazuh_CIM_addon/default/app.conf @@ -0,0 +1,25 @@ +###################################################### +# +# Splunk_TA_wazuh +# +# Copyright Wazuh,Inc. (C) 2020 All Rights Reserved. +# +###################################################### + +[install] +is_configured = false +state = enabled +build = 10 + +[launcher] +author=Splunk +version=4.0.1 +description = Splunk Add-on for Wazuh CIM compliance + +[ui] +is_visible = false +label = Splunk Add-on for Wazuh CIM compliance +docs_section_override = AddOns:released + +[package] +id = Splunk_TA_wazuh diff --git a/TA_Wazuh_CIM_addon/default/eventtypes.conf b/TA_Wazuh_CIM_addon/default/eventtypes.conf new file mode 100644 index 000000000..c81d74298 --- /dev/null +++ b/TA_Wazuh_CIM_addon/default/eventtypes.conf @@ -0,0 +1,11 @@ +[wazuh_alert] +search = index=wazuh +#tags = alert + +[wazuh_file_integrity_monitoring] +search = index=wazuh wazuh_change_type=filesystem +#tags = endpoint change + +[wazuh_authentication] +search = index=wazuh wazuh_change_type=authentication +#tags = authentication default diff --git a/TA_Wazuh_CIM_addon/default/limits.conf b/TA_Wazuh_CIM_addon/default/limits.conf new file mode 100644 index 000000000..a1e8bc70d --- /dev/null +++ b/TA_Wazuh_CIM_addon/default/limits.conf @@ -0,0 +1 @@ +indexed_kv_limit = 1000 \ No newline at end of file diff --git a/TA_Wazuh_CIM_addon/default/props.conf b/TA_Wazuh_CIM_addon/default/props.conf new file mode 100644 index 000000000..f28ebc44c --- /dev/null +++ b/TA_Wazuh_CIM_addon/default/props.conf @@ -0,0 +1,45 @@ +## Fields extraction +[wazuh] +SHOULD_LINEMERGE = false +KV_MODE = auto +REPORT-kv_for_wazuh_dvc = kv_for_dvc_host,kv_for_dvc_ip +REPORT-kv_for_wazuh = kv_for_default_wazuh,kv_for_splunk_wazuh,component_kv_for_splunk_wazuh,dest_kv_for_wazuh,file_kv_for_splunk_wazuh +REPORT-signature_for_wazuh = signature_id_for_default_wazuh,signature_id_for_splunk_wazuh +REPORT-object_kv_for_default_wazuh_550_552 = object_kv_for_default_wazuh_550_552 +REPORT-object_kv_for_default_wazuh_553 = object_kv_for_default_wazuh_553 +REPORT-object_kv_for_default_wazuh_554 = object_kv_for_default_wazuh_554 +REPORT-object_kv_for_default_wazuh_580_581 = object_kv_for_default_wazuh_580_581 +REPORT-object_kv_for_default_wazuh_591_592 = object_kv_for_default_wazuh_591_592 +REPORT-object_kv_for_default_wazuh_594_596 = object_kv_for_default_wazuh_594_596 +REPORT-object_kv_for_default_wazuh_598 = object_kv_for_default_wazuh_598 +REPORT-object_kv_for_default_wazuh_5303_5304 = object_kv_for_default_wazuh_5303_5304 +REPORT-object_kv_for_splunk_wazuh_550_596 = object_kv_for_splunk_wazuh_550_596 +REPORT-object_kv_for_splunk_wazuh_554_598 = object_kv_for_splunk_wazuh_554_598 + +## Alias +FIELDALIAS-dvc_for_wazuh = dvc_host as dvc +FIELDALIAS-severity_id_for_wazuh = crit as severity_id +FIELDALIAS-signature_id_for_wazuh = id as signature_id +FIELDALIAS-signature_for_wazuh = description as signature +FIELDALIAS-subject_for_wazuh = description as subject +FIELDALIAS-src_for_wazuh = src_ip as src +FIELDALIAS-object_path_for_wazuh = file_path as object_path +FIELDALIAS-user_for_wazuh = acct as user +FIELDALIAS-md5_new_for_wazuh = md5_new as file_hash +FIELDALIAS-body_for_wazuh = message as body + +## Change and Alert CIM Mapping +EVAL-object = COALESCE(file_name,host_name,orig_source) +EVAL-user = IF(isnotnull(target_user), target_user, user) +EVAL-src_user = IF(isnull(src_user), user, src_user) +EVAL-vendor = "Open Source Security" +EVAL-product = "HIDS" +EVAL-vendor_product = "wazuh:HIDS" +EVAL-app = CASE(match(signature_id, "5303|5304|5402"), "su", match(signature_id, "5503|5715|5716"), "ssh", match(signature_id, "18107|18149"), "win:local", match(signature_id, ".*"), "wazuh:HIDS") +EVAL-ids_type = "host" + + +## Lookup +LOOKUP-severity_for_wazuh = wazuh_severities_lookup severity_id OUTPUT severity +LOOKUP-action_for_wazuh = wazuh_action_lookup signature_id AS wazuh_signature_id OUTPUT action,status,change_type,change_type AS wazuh_change_type +LOOKUP-object_category_for_wazuh = wazuh_object_category_lookup signature_id OUTPUT object_category diff --git a/TA_Wazuh_CIM_addon/default/tags.conf b/TA_Wazuh_CIM_addon/default/tags.conf new file mode 100644 index 000000000..751bda0c9 --- /dev/null +++ b/TA_Wazuh_CIM_addon/default/tags.conf @@ -0,0 +1,10 @@ +[eventtype=wazuh_alert] +alert = enabled + +[eventtype=wazuh_file_integrity_monitoring] +endpoint = enabled +change = enabled + +[eventtype=wazuh_authentication] +authentication = enabled +default = enabled diff --git a/TA_Wazuh_CIM_addon/default/transforms.conf b/TA_Wazuh_CIM_addon/default/transforms.conf new file mode 100644 index 000000000..7b5de9b50 --- /dev/null +++ b/TA_Wazuh_CIM_addon/default/transforms.conf @@ -0,0 +1,89 @@ +###### Lookups ###### +[wazuh_severities_lookup] +filename = wazuh_severities_lookup.csv + +[wazuh_action_lookup] +filename = wazuh_action_lookup.csv + +[wazuh_object_category_lookup] +filename = wazuh_object_category_lookup.csv + +###### wazuh ###### +[kv_for_dvc_host] +REGEX = \s+([^\s]+)\s+wazuh:\s+Alert\s+Level: +FORMAT = dvc_host::$1 + +[kv_for_dvc_ip] +REGEX = \s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+wazuh:\s*Alert\s+Level: +FORMAT = dvc_ip::$1 + +[kv_for_default_wazuh] +REGEX = Alert Level:\s*([^;]+);\s*Rule:\s*([^\s\-]+)\s*\-\s*([^;]+);\s*Location:\s*([^;]+);(?:\s*srcip:\s*([\d\.]+);)?(?:\s*user:\s*([^;]+);)?\s*(.*)$ +FORMAT = crit::$1 id::$2 description::$3 component::$4 src_ip::$5 acct::$6 message::$7 + +[signature_id_for_default_wazuh] +REGEX = Rule:\s*([^\s\-]+) +FORMAT = wazuh_signature_id::$1 + +[signature_id_for_splunk_wazuh] +REGEX = \s+id=(\d+) +FORMAT = wazuh_signature_id::$1 + +[kv_for_splunk_wazuh] +REGEX = \s+component\s*=\s*"([^"]+)",(?:.*\s+file\s*=\s*"([^"]+)",)? +FORMAT = component::$1 file::$2 + +[component_kv_for_splunk_wazuh] +SOURCE_KEY = component +REGEX = ^(?:\(([^\)]+)\))?\s*(?:.+@)?(.+)->([^;]+)$ +FORMAT = dest_dns::$1 dest::$2 orig_source::$3 + +[dest_kv_for_wazuh] +SOURCE_KEY = dest +REGEX = (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +FORMAT = dest_ip::$1 + +[file_kv_for_splunk_wazuh] +SOURCE_KEY = file +REGEX = (.*(?:\\|/)([^'\\/]+)) +FORMAT = file_path::$1 file_name::$2 + +[object_kv_for_default_wazuh_550_552] +REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*(?:550|551|552).+Current\sMD5:\s*'([^']+)';.+for:\s*'([^']*(?:\\|/)([^'\\/]+))'$ +FORMAT = file_modify_time::$1 md5_new::$2 file_path::$3 file_name::$4 + +[object_kv_for_default_wazuh_553] +REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*553.+File\s+'([^']*(?:\\|/)([^'\\/]+))' +FORMAT = file_modify_time::$1 file_path::$2 file_name::$3 + +[object_kv_for_default_wazuh_554] +REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*554.+file\s+'([^']*(?:\\|/)([^'\\/]+))' +FORMAT = file_create_time::$1 file_path::$2 file_name::$3 + +[object_kv_for_default_wazuh_580_581] +REGEX = \s+wazuh:.+Rule:\s*(?:580|581).+Host:\s*[\d\.]+\s+\(([^\)]+)\) +FORMAT = host_name::$1 + +[object_kv_for_default_wazuh_591_592] +REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*(?:591|592).+\):\s*'([^']*(?:\\|/)([^'\\/]+))'\.$ +FORMAT = file_modify_time::$1 file_path::$2 file_name::$3 + +[object_kv_for_default_wazuh_594_596] +REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*(?:594|595|596).+Current\sMD5:\s*'([^']+)';.+for:\s*'([^']*\\([^'\\]+))'$ +FORMAT = file_modify_time::$1 md5_new::$2 file_path::$3 file_name::$4 + +[object_kv_for_default_wazuh_598] +REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*598.+file\s+'([^']*\\([^'\\]+))' +FORMAT = file_create_time::$1 file_path::$2 file_name::$3 + +[object_kv_for_default_wazuh_5303_5304] +REGEX = wazuh:.+Rule:\s*(?:5303|5304).+\s+([^:]+)\s*:\s*([^:]+)$ +FORMAT = target_user::$1 src_user::$2 + +[object_kv_for_splunk_wazuh_550_596] +REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+id=(?:550|551|552|594|595|596) +FORMAT = file_modify_time::$1 + +[object_kv_for_splunk_wazuh_554_598] +REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+id=(?:554|598) +FORMAT = file_create_time::$1 diff --git a/TA_Wazuh_CIM_addon/lookups/wazuh_action_lookup.csv b/TA_Wazuh_CIM_addon/lookups/wazuh_action_lookup.csv new file mode 100644 index 000000000..722c44ddd --- /dev/null +++ b/TA_Wazuh_CIM_addon/lookups/wazuh_action_lookup.csv @@ -0,0 +1,25 @@ +signature_id,action,status,change_type +550,modified,success,filesystem +551,modified,success,filesystem +552,modified,success,filesystem +553,deleted,success,filesystem +554,created,success,filesystem +555,modified,success,filesystem +580,modified,success,filesystem +581,created,success,filesystem +591,modified,success,filesystem +592,modified,success,filesystem +593,deleted,success,filesystem +594,modified,success,filesystem +595,modified,success,filesystem +596,modified,success,filesystem +597,deleted,success,filesystem +598,created,success,filesystem +5303,success,,authentication +5304,success,,authentication +5402,success,,authentication +5503,failure,,authentication +5715,success,,authentication +5716,failure,,authentication +18107,success,,authentication +18149,success,,authentication diff --git a/TA_Wazuh_CIM_addon/lookups/wazuh_object_category_lookup.csv b/TA_Wazuh_CIM_addon/lookups/wazuh_object_category_lookup.csv new file mode 100644 index 000000000..ca046ca3f --- /dev/null +++ b/TA_Wazuh_CIM_addon/lookups/wazuh_object_category_lookup.csv @@ -0,0 +1,17 @@ +signature_id,object_category +550,file +551,file +552,file +553,file +554,file +555,host_info +580,host_info +581,host_info +591,file +592,file +593,win_event_log +594,registry +595,registry +596,registry +597,registry +598,registry diff --git a/TA_Wazuh_CIM_addon/lookups/wazuh_severities_lookup.csv b/TA_Wazuh_CIM_addon/lookups/wazuh_severities_lookup.csv new file mode 100644 index 000000000..234084ffe --- /dev/null +++ b/TA_Wazuh_CIM_addon/lookups/wazuh_severities_lookup.csv @@ -0,0 +1,17 @@ +severity_id,severity +0,informational +1,informational +2,informational +3,informational +4,low +5,low +6,low +7,low +8,low +9,medium +10,medium +11,medium +12,high +13,high +14,high +15,critical diff --git a/TA_Wazuh_CIM_addon/metadata/default.meta b/TA_Wazuh_CIM_addon/metadata/default.meta new file mode 100644 index 000000000..1f33b06cf --- /dev/null +++ b/TA_Wazuh_CIM_addon/metadata/default.meta @@ -0,0 +1,6 @@ + +# Application-level permissions + +[] +access = read : [ * ], write : [ admin] +export = system diff --git a/TA_Wazuh_CIM_addon/static/static/appIcon.png b/TA_Wazuh_CIM_addon/static/static/appIcon.png new file mode 100644 index 0000000000000000000000000000000000000000..f8eeeadc96f9788451da1cb2149b9fe841a4a266 GIT binary patch literal 2143 zcmeAS@N?(olHy`uVBq!ia0vp^Dj>|k1|%Oc%$NbBSkfJR9T^xl_H+M9WCijSl0AZa z85pY67#JE_7#My5g&JNkFq9fFFuY1&V6Xz}5igjtE6@fg!CBxDSzC zHb_`sNdc^+B->Ug!Z$#{Ilm}X!Bo#g&p^qJOF==wrYI%ND#*nRsvXF)RmvzSDX`Ml zFE20GD>v55FG|-pw6wI;H!#vSGSUUA&@HaaD@m--%_~-h7y>iLCAB!YD6^m>Ge1uO zWNuz7iBo^o!>KW)`(^Qg~hHxH=E|3gPZK)NR zIJALeAlkrz0db=ZFhs3<^HVa@DqRvwQtgZk49#^7Omq#6Lkumf3{0#nEN%4B)F6Ba z*6m!Bnpl!w6q28xV;7KFk(!eW;wl*HnL%_S%Ohz8`NGP-C^Hopyr4j|Gqlmi5JOiV zlvxocyBTg2d!hkZ-_Rkc7}xgRP0gWet)9RHKbPD4ijtJ4m7iivm-%9TzaX zVL8N(D>yb_Coq4udb&7He!F{WsK|lm6(_4RD;>4=sKf;yDZHfO1l8P$Fj&u`TG6&`%2U18-Jc# zyw5Ox5$pcQ?EBZ^s^6aexoqv*`k(957A#-BTq*Us`He!}=bp@-Z`+zPbS`h7xqeoe z41crVj8tcBVORMtB@vQOrH-d^KV-2L>^tZup>($9;&I(=@69Y29?LZA?R{%n{Lo?f zx)13;BvR+Ho&CQ+rLi~VX+OY<9?UYf$!Rcn;sU^2UG?(8h}@}pi?sxMqWB-G*Hbbm>nmPCVHQqS`Y(;ANH zld8_xX>w^)`5d0X@2oiIxMbm*#Q`c8?Q`QD4u1ZjedC_L(%h?TL6$9VKgpa~P-JWq zle@+=>8aJa3{W0(9M2DD+jTaP)o8~d(AI=Tn`4FdCv(mQyX0P+|#_MeE zi`RehsNl^z_;*saMV)Ay^Z$lLLbg)d4!H)LIm3J5;NFyzYyM3A-Rbk!?`CVY*|pMOBDBjL`z{)A1F7oSc~U9jS?V3m%PUGzZ0&z-``U)UqpL-MMNTV#nrvP3ZHII=$CqP<*ePO z?mwH9MeomjTw=lXuf34@PyQo?+Twm2%I3y4amY?$0rcg<2OIG)RG1}uSx|ab!%R~>6Us-#u#4i7I^)GwwaZgdpuiEJUg_T5ZQfbS)M> zp^z5ILd;0`l)TW&|BIMup+&-*z7f$svC_iMoh~@oH!&L^q$xz6*BOi4r=atdAxFC9 zerQa5EpWc?hfVTz0s`_^)pU?alDrFf(tf8pahPHwwo1R-ik z-5|0WrwS>yd%)=Wu+0?Xw?$?LGU6QSy|UiI{zkT=+I23*1=@=nwdG2=5DR^jDE}l3QHUZVAN1qIP=(HLI{Pl#ohdSB z6Cc7Lg^;MuCLIuW)KLim+Bg2--;xFs!WF=Wo{i_w_22~&eE{2dPanrVOi2I$002ov JPDHLkV1hMOM<)OP literal 0 HcmV?d00001 diff --git a/TA_Wazuh_CIM_addon/static/static/appIconAlt_2x.png b/TA_Wazuh_CIM_addon/static/static/appIconAlt_2x.png new file mode 100644 index 0000000000000000000000000000000000000000..4afd6dbc34828ca3f7a3eee82e58ca4d44a5b3b6 GIT binary patch literal 4829 zcmZ`-cRW@9|G!4cC3`2Xk?iZ*F0MVJY_5>&UgPF+bzR%d$S&88jLIw$5z1a6WMrjl zL>Ub`QAU2$XZZE_e9z-?#{2bpKHtyR^L5VapA&0xQSUU63kU!JP8;ZJn;qWukIqw6 zhgZwxr+SAsGH)|IO+Z;c_ou@JwU<8J8vvkTK03(&nb{lw03|=#!Uk_+Yy?GOJtPq* ztdp~(zlYZ$8URr7haNt9IO7o@e-DhOH`HI1{}%#!_FLBU`@KR-!78A&Y86%0{QQUXg!gQcY< z4iOUG0iJk-zl5i^!0%1|-bdTn8;L`E;n7%6(9ymKC#(-%m7o7e=%3?vop`j%ze=9o zf7v=T2tLYyA(B$y|DrkjqyGo(DDyvQDC9q`ynJw&U!G7%urtQl!`Tz>eaM6Sr`%z0 z{~`XrBK;9wzr}tv@wYdXqspOX&fZvz&ru63J<)iWw8}3-e}@0<$ZwVw*24?u?CpI> zgUS6xIUf5HZ}YDVOyO^hrDQ!~aX*c<>nEsP#}2w7)aP zMjL(D&|fZ&s`}5wpF}Mz28%QILLi-w3j0Ml7WxzYO9uYGWR4|{5m88}w~y0RXC(gE z+d6z_zrKA@q>)!%*t&6-EeY;p1eFqkOGMB)eTNMXr>!CPxYk;zxwgDN$Iw>ffh!@hFwTM|}fx zzG?`{tJ7P*psoSK9$QIm}rj&68lG{s|Nu{Cqy6Yo25 zRCr%LbtUkwU2-&4hU|2L=Ov;zji=R8`&-IPx%yM~H`uzFiQW5>6<-23L^88Pb6dxl zE^P`71KFF#+p+=g_q93M_69OI?=?n5Fx^mk{^h~vyW!fFml|5e5K4W~eV<K3? zJF_d^-5bS=N!xFjreU0CbHJM^Tt+#G6;!DF31VFK z6oC#vP1kn^6A(Y5)jYg9sP;Nd{a}!1{LHP~uat1<6Pg++Pd6wDx501-Fgd^K`q0;rPjs zI5k?+?M?6R*~m1=y>4LMwj_ypQPjxRH+T~5J}ul+m|sfvzAZca+r1|2hNt1$A`sgM zRn2`?UU+p1zBVr-ykZESQJgW3_Wk%edy-%UNb+lGu-7jWMdm)&UYpP>B@i5SZPO{k zV*|XF3DVvdkdT15>}6|2&9td9bCdvc|3Sgu|kGDUhbaJnS426FM_= zN`ZuYs{2qQ>!W@A)ehSF{@&rIR3co;U8$(h4{hq_FKBXg1*jEhcM4et1w3n`O4#q5 zR6V1HH}H8qyX$&=xlk?d8!dyceG21&&1}P)em8g#P+avZZUVHjlExt5cTh6nBA;_! zfUq^`M;_DLqbea$|6n?JVP-{@jD>Tj@6-}`@B6D0Sz23Tev?yA#ieuZ0-WM(TIK;v z7X7o03dLXbJeF6^q460x86T^y-vA=5$0n&KydOOR^gUuxHNI4nunzJaICFE9B-4mr z>=})+9`oRt?YH*5ov~H_)(=?wgULJ6Rbo4#KU5wk0^0R1|4xT+L!N!#wKN1aCuO ze0N+%HGFJ6^3FOi0a(jRz$r%SbSd-X&<__cwlyQK_{*|y`;({>*77F(=kuvZ@xj5iT%Z?_;StYU57U%m zhH7t7 z5iyIYVmpEYS_a2EAMV$BZf^?rI= zu~SZ&Sy9l>_H^Y*d85aiH_z_NOR2SAdz+Z6Wy@?^Q?{OeyJIO*R4o6>rj$kFXfUnr z8uS8%c_f+r>b6N&v73P#DaoDGYgi9k?5(aitCUmA7dR2uR8%y?or$81ibn9d>RDN? z)O4kJ*a^Rs4~Lf$>>cPoU&t+tw4kcIGUxmD(4?#E7)fS>|!bNMn0 zj6v}gWkk?L+NA9!$@c2i1lhQ@4x=2D&Qq;77VIZBXXNdY zh5c@e&=GS(FsJt8%13)bx^!^g)+iaS-5MB^0f@}Ij8)RxZgvpcetI`G?uNTuPB!y- zBX^2I-b?b^v;L(D3!_G)F-oVyEUWW6e}{5HZ>!qnS#q-O+HPYc=j8W&`97~|DCWrw zO-AZh^KdPBlZ2+n?xeIU@BF$KeJ?*7sM00HcITcHZ9=o>#gTnOmGc>4-Ojml0 zt144X1k;tI4e(pla_b&2(9hzccnHl;s^<~AL9d6bFFt*DrprPlY;{z->)dp!F$Bz+ zy+){y&Qht8VOF%+z`7aEBx73m;3^c_@x&6=t^o6|7(m5aTQjtQ_ zKwX`$d6!Yhl`3y}JK_a<$d;oe^JseMb;2z>6O${4W6!yUnNBDslgk* zuuPbnPJI8Cp6*q@RGP}edikV(pYc$|!UP>GaEOjX2ntxBGATX37jLy}IJsc!;*nP$ z$TJ9U`s{mmN%aZ-{MA?1S+Y{JwjXr8=m)a z!)BaZ{Q)sE`ML%QK7U@`e!bGVXHI?X90sAQbc4d34;~e)R0DHg@~wptC}Jo@O#S-O z3R(gwrERRIuptckiZwsExBbc`CAl{Gb6?K#kLSkQX?mrn?h?a_mm$tyqcnD6^_kB| zu~`S+i(F7#U46f+$+xK!FIJ>>TTHlnnQ$V8BYLz>tRiG0LwY%^6`%rKb6d5zrNOT3 z5oMadTFk4v#z9t|6mw=5`nr`ZOuI_I?fLvnT-;;98}~Z=LiL{`di{*q4IOD5PAa3B zsA%8Br@1Z9*J<~5=jYEyal8ap<#4OhW(zpt?c3vu<+_dc16LVC^%d<#bA$!a=lNZ& zx2aX>g=T*xM+UaBL}_lqB?Qq#o_A_0uv z2>mREkF(`V!B!TwcLO&;^ijTMYO3%+mit;8msg!)m#cA2Fk(2ZV(Iu+)H!qF_m^Wy zmI>q$V$Ey)n0#})IpO#$LpK3(LvGuQf#-Y!X+^GN;ds+AGy3g4>b^SOjv-w)XNp~G z{_)KlSWzBTxI_UPk8R^K4BDx ztJZE+{Q8RkJ9$h)RX2^ge*E=VmBD_ycsXZ;>D>qTo9P-0npy0j`s&=q*ft_8DE$&+ zHIGMB>=r>eiLRxAY^0^AF}`5G2~!`@b$^zKnshrC8T58mM=lV06mXa3G8E3~@C7>7;u)&K_6dqHyoSM!Elf_`Kk~0}3Bp W3F8=7^T^RZCj*^}+GU!K;r|EfC2IHp literal 0 HcmV?d00001 diff --git a/TA_Wazuh_CIM_addon/static/static/appIcon_2x.png b/TA_Wazuh_CIM_addon/static/static/appIcon_2x.png new file mode 100644 index 0000000000000000000000000000000000000000..f8eeeadc96f9788451da1cb2149b9fe841a4a266 GIT binary patch literal 2143 zcmeAS@N?(olHy`uVBq!ia0vp^Dj>|k1|%Oc%$NbBSkfJR9T^xl_H+M9WCijSl0AZa z85pY67#JE_7#My5g&JNkFq9fFFuY1&V6Xz}5igjtE6@fg!CBxDSzC zHb_`sNdc^+B->Ug!Z$#{Ilm}X!Bo#g&p^qJOF==wrYI%ND#*nRsvXF)RmvzSDX`Ml zFE20GD>v55FG|-pw6wI;H!#vSGSUUA&@HaaD@m--%_~-h7y>iLCAB!YD6^m>Ge1uO zWNuz7iBo^o!>KW)`(^Qg~hHxH=E|3gPZK)NR zIJALeAlkrz0db=ZFhs3<^HVa@DqRvwQtgZk49#^7Omq#6Lkumf3{0#nEN%4B)F6Ba z*6m!Bnpl!w6q28xV;7KFk(!eW;wl*HnL%_S%Ohz8`NGP-C^Hopyr4j|Gqlmi5JOiV zlvxocyBTg2d!hkZ-_Rkc7}xgRP0gWet)9RHKbPD4ijtJ4m7iivm-%9TzaX zVL8N(D>yb_Coq4udb&7He!F{WsK|lm6(_4RD;>4=sKf;yDZHfO1l8P$Fj&u`TG6&`%2U18-Jc# zyw5Ox5$pcQ?EBZ^s^6aexoqv*`k(957A#-BTq*Us`He!}=bp@-Z`+zPbS`h7xqeoe z41crVj8tcBVORMtB@vQOrH-d^KV-2L>^tZup>($9;&I(=@69Y29?LZA?R{%n{Lo?f zx)13;BvR+Ho&CQ+rLi~VX+OY<9?UYf$!Rcn;sU^2UG?(8h}@}pi?sxMqWB-G*Hbbm>nmPCVHQqS`Y(;ANH zld8_xX>w^)`5d0X@2oiIxMbm*#Q`c8?Q`QD4u1ZjedC_L(%h?TL6$9VKgpa~P-JWq zle@+=>8aJa3{W0(9M2DD+jTaP)o8~d(AI=Tn`4FdCv(mQyX0P+|#_MeE zi`RehsNl^z_;*saMV)Ay^Z$lLLbg)d4!H)LIm3J5;NFyzYyM3A-Rbk!?`CVY*|pMOBDBjL`z{)A1F7oSc~U9jS?V3m%PUGzZ0&z-``U)UqpL-MMNTV#nrvP3ZHII=$CqP<*ePO z?mwH9MeomjTw=lXuf34@PyQo?+f{OpuToBFzwW#OQh{MI?rxG@>#=8l<~R#*~!N zj8dAHM&jf9^ZVmF=ef^4_ug~Q^Y0UDY^29X2ciQ2fKeZ=V|vZG*O2&&@_HN0F63Vm zB}&s!696i)^ydy#*ILL4ZfXbsL1F+99t{9z*H-v10PvLqfOUHSfTRNemuGgPiTZUw z?ugLS0j^@O__k|B>j}5U002Gfe?c}f8+Lwe()j2b>e4JRuu_0PQdAIfu~gW<^ht`g;<9w->{4K(j-qM#9~fo))%ND7f00N|(`?6%?MTv(^DZ=#*zQ4&WF9fi zi=BCjECnX`$CEGV(oXW?%J^CJ1%LJTv4vl#j)f;>Y{7mR-e$sogoPp=7_Vk6i*%jG z&7`!bzJMO(X?>+{SBjn4*y~%*+D6Ia+c=M*d9B+|s1Z#IPgDMyN29AM))O3Emvgzh z=RIqD4`hZDJ{!diD-hz36sH&eBq7b_ z4>Zh1RV2XRdJX>SU5DWN3|$%aRf_waIVxq~swI z(Vd_IPgOxjwt|Y-xd3Eo>`wd9lNtY*`Y ze%NlAfq3z=KK!Q|A$@?=pnoV{E;GY@_T^Z}6vyS*yRrid%QKuWM$ytT1Ifwem3rLA zK>qCYW_EV{(svZwj6MP*so zNDKs^MeBpxOo@(BWa`4LOT5;SE^i)~R)0wWXAy1v?!^(+bq$O%H#uvIq#F;kx_eGBKJQ-jFq|8ljp0HEHEp z!o?CI78IvK9Rs7(Ubt(`lGNwPEip`poa~)MZ9@Yc*2C%Ikc&oe6iL7v@CMUDO z_4WG{{on%<@W07#@zjPTywfnC7OBRsLTb{(P1x5*30Ug%*Mk0W98YhYa8;uC?)KOd z2cSh33D|GJ8x3A38Z7oVo_rNzZLs4giiCeHVeQylBmT=%6x_D>Tq zSI!CD2(yhp-u=ZaW8fD35@B^eH1b_|BvEPwzW(+WJTTn+Z6P=|g@_GlR;vVf%#9p5 zslG<=a=%_{VB!L(Xp1G7RU`7$8qelTO0fd@yS8OGLH&lbQESAluV+7R3BTvrZ|QWG z4Dd-+r{)ZuXmE7AP4JI0FJ7lw+L!hAkQFqST<1CB7EWpNnCQ{#kcmojIpzQ4Ti3+Y%p|14k0%ch+~fO38<9I0?jLHYL0+k9-}+;^ za(u#oKn5F1kmhf$KA^3*7x$|`i)n2iM5YgK$cEC%hqZ@NPIyw;QF{{{dA@hQQki1B zGiOYaCwzcu_41#KJ}}8Q=!$1 zrcPz5JmI1EuD@j?3-3PW9@?vPxQxv(%UQ1GU0x*o#x(watK?O7Ab-4(@u8Vi7TJ-S^Lhk;*0Dsse{jFJmP-+_NG4+UJDAQ z{O!OLYky~SHlr-|yG+gZF?_e`<1GUZzt3Ea1s(Wgnv=K4DpJf+Y2#)@D>KKXWbkH9 z-($r4nb!yOnaYz&yOCD^y4ScGwhUPt=A76?m+yVc3spy7Wf2ZC`|EcC%npL=_Lwb; zDc0$jKxB{E+S|+}SJ4OkFq82%K^AW)YoJ$xw#C@zBY57)iYW$z`3Lf??_7xdq&c|S zJUmkooBXr3-DVB%w+rj2`?O!Gy{TCLi6TV%vUB{>CZ<+~b>kCk>e1gTXd{wVBI*@J zC8_*hRy!0=ny1{TYBC!S2|0&&p@06WD&X^?9mx8@!xKBJ_CGw%5c;RbU5>9zvCnMD#uy4Ct*JhMEgZdY_ zHc=TZ!x_B9vkFYNqzyB>MQArg-tfZE>O|=oCb%im6RSw?8#QX!lRRj%@O*gx4QBba1T^qW8cT!xs#M;WF&E8Q?q5emm@NuG2Jh&Cs66oG<@t{x6^)z-D7) zY+*=A7L<|XM^^Dh!|t;MU-dRNhZALsMi0H_5cGbTo~}YvoVflvUN4Hc#X~iltxA!Y z;uzI|V1DoZBJ<*<6Z}k7&sWWmI?3^(DE{7`jypBr*d4N+D)e|k_Apgz*9>~Lk;{+7 zOnpzl+Tl)0!K{;B&2s8h*3!}&S@G9}87h5;!(X^Ebh=uk%Gy*x7!>xk3h~fuGmms? zbf1vt<)ayrwpQ;#SsmD{r?~9$0OQU_q=$Z5N2rx3*(LjGk~G6QcKUdqldJdh4&5)$ zqKwXNXXEQ@;2XI2HCZDB3gF>rzcF!m^akr*R_i|x{})y?l>aC$JJRu=&|MV`Jpceq{QnOU zAUl`jzasTVMJ-hTz>fg{fQJGAe_#LeF#zDj2>_g!0|3IA006N|irJ9-f30pxvQj#} zt7mz(nFP9vBe1qA;rI7@6L@kziqL2~;ooZDA(lY8&N4pMis}$Wylg31DLE7Tnw?HK zI$aC~3KlY<6eN`zYMYtsSLUI=aWA7QGmll#b=e(sv^zgNsIyVk>2>k9AV7ttlwL_m zd9J^N-Y}_zo*_8-f8ZIS*qql8SGWuruxqrwX4%?ZBTTrg?oY}6_bF3X-N|A>?t4A=cw|V8;FqY75WpJUqEVLVUUj>Y>Y`h zd!VKQB_W+pQOgP8K|`{F`E~$#u2*R7y%<5+#_Z^SI?0n1Ib*hkOMW zM%Z*j{dUMxV_mp^23}0inbk6Dbl@80qTBi*^wA@*PsT0Q-SFO^b>$$uGue@JL)62E z9l3{WPRhKG(R1x5M{r7zFxS=lH1;{%rA$CN>7g=_RC9_h!qE{+C}t?@D6FV9F*#<5 zmrK2Pv$#Qe+4!3eltHYayd%N8n&2S{Y1jobVLKWla<-r_`4U`yd%jtHj3wvb0Ces4 zPmQLbS)XHDeett^#+=_1%kNZ12gy!2a{e1lS1TIwm4iNfMN&-+p2XraD&l;k8W%a0I?A)uKIKD{Y`guUkWu>5fG2jn*s(VK>{%m z5{Llqjh1rh94!N}-p}E%7sxX*ClWFOI!DALcb(aUL!* zelXFHBiXK}0OdRs*Ds}b_XWgh{`%wJKH$ld&xQTHXQ>ZSMWth}(Hj&b zyZ-g_LJZ#Fc3-um6-ug>6Wj~yMn1BAPR4ledAq^~l9c5u!mcFI42H~bN|QpRZgY_` zKwK^BTh<%^7NS`K!f;M6zxa;!kutt<&~xqSWz;!u8n+y%5l@P*cw(sxC?+TCAW{{wS!$ zy~cAov_E%0ql>d0O!A&Bo^MKEw}xTW!=31IEym-uw2hN-W-dY{7?P?tM_n>RWDw=A zFS-qR+Gl4K5~YyZE&AnblVl|gdjaS9;{5L=bdnWKL^m(Ot8Tm0#-Tf|%v%j{ zd9xG8Z^@eP2klMml)=djnasYMKdr}pn0FAc2`=+b-YtY*HnTwUcWc1<8W-7 zZ1uM4+}I1_Kqv^qmP8Y;rjHXm9)sBY%Q+~sQTASgkYy8`jnjS_Nz@MzS`qEqii8X} zPWtP!@j`M#jVhC?QiyxpZ0=9vO%v$?H9QlS1m`>X5y5`ipb<@i(-wC)62dk;*!5Le z<2KM3YpCJE;d__nAKqTiv6-nw{Gv=13xLITx6LrFE~c~#Q)W@c5k|HS8dWiok9vl) z<-hfFXeLrXQsL)!inbeyYil|5`&;l6;fI|GEQ6~?hP{)o0zMsIuWU09;8)Vxs^3}Y z=wi4h6JPtM-T{0VK8Q^RZe8(t+9e)NLVq-I42%i<+Pf1J_5%758k34sD*o}f56kcN zs^qqGi>Ak)b9(EG4eo}9m<5}ne?pN36`l%S--YcJ7;h1?lT?d<>Wdu zPlZb~`cG8^q5m;*G*vI#5`JYbNWt{-N}|J|YJ2V@q{8u$G@vxI0Se;Om$cl>3qaiz ztt4eowBZ+rR5oYezK=1*MNILqSOfMZQlOYPTyz!D?w(Pi|7Jz~>Bi#xd~gdqmAE?= zwW04x&U#_oxXu&UeL3O(Vs4+zZqT;5W5%Pbpq%8)_<)n#gX)+*ga-|iWhawfoXc|^ zRBAKkGIV4JK!m<%i1F?XtgQ7RFT`3pp=Ls1$H)3)6ZI}45zUQ}Mz5&~h#pi@6>z#v zsSfinHu!?4MKgkVG1?z|_A2p%u9zMr!E<|>NbnObCQj{54r7F>6x*`GcJi76Xhp#y zW$HwUcs)nI`#}mDHHKZ2>|EziWqg_3y7R)?&Qqh04ZKZ*N%H67he;iKV21zZqcXD> zbUpp4%$j=1Nz(awAMK0?&s%znqwrZT%1Hdb9rZ%}T+3Y2w zYLOI0%*((eNLbWZ<5ida5Ry z+ueRK^-*Azo9^hSkP=mSYS#8gxkIpUNg(I3wzA&mSYtM1`5`yEsNZAw9D1U-y_NnK zgmql%%A9yv7_)5qVe#9LWj3iwkc+_Hl%Y*D6}mjeKx@odP!~MNXT%VbRpJ@q%^VdY z9oG1!*po1yLLyed*@Q9phh!V_!kr{%GfVm?NqR#kPgCD!px=HKZn8)#wb5QCds?cE zcey`579%`m5G~Bv5RD^=!9LKGX~e7nwMb35Rq0NZEQsmy6Hj60(&I{tKzY0N<>NCR zWQGBaJtvF*rC3Ny`d6Em5E#z7&1&w@q&WBemcvq%zqQ5MIDx;mk|lp#?dD%ycAh=w zD5j62@IQ688~$V}rm$`k$?C{p2st@qJ*RfRC(HX5!(NAw_6(?;H>xV}`tO-=$diWl z6k%xd$%YP-N!@C^#Wo-KA;*qQi}J6&wbk~0LnYeosrKbrCVh-;AH%J!ycg2&JG5W; zQ*StG8^@u-n;muwtwQ=@=yB0qW(6^Quhwy0Wp_$_T|8IgP{l?=X%35ed`C4##ZjOV zCKmh5x1zlQ6FG}5<#jNPG+*TzOReQ$7)>NtuHJTO^UPHk4NMnB9fgJT4h`Q5)=e?1 zDilHWtltmuAEJhes1=K)s}r`6>)?|NfBfhVprR`N(HVT}zQH7;LzXjiC>{rqpn5L1 za^}yX>6IGeCzsf4`IQmr*9%xD6{zyL-6Lc7i4QzXOIn4_VNkCF(oT22ElEWwN0F9Q zL-{4Or948lKxy?MrkD^i^736fF+jV8EB#hGh>g>YpOm90cPjy(;MzM<5X@g{E$)U~MmXKJY}>zY{qF#6 z0DXYI@rV(KZgt|HdFP~qtxL}-$>n!uf)3sQW4{Jl69u>es}D0<0%Z3I*X%OFw}?v` zAsny@Lv#?2nKAI3P&awJoo$GyibS)&)j{sBNRZY8jJ;xg6&3w`Lp<;NV1OcKi>p}C z3l!bU)znrgSo_uUi9`f@v*`h%{6j8HNu9Aw|oK z^=uzUmZc6szj+5Iz$TP`pR&)o9fAFLF?bc7($s9q?cqSFXV{r}5_xEuGkWgF=a;2N zG(hb_T(u6gGpE{AestvTSH8x`sn zhBvle#TWVWs79KGp+hC)+Z#U@#up!e-hw}HE*wR9#8Zy5q~LDoSkIIX`ii)SHADzQ zgY*c`KP9FD()kaFXSusPm4fIyCv-OcfhvyexWI=+6UCPbsslZC(PNBpNW$#a$${x* z%*TOT^>fJK&!|Z?Io1>CcBI9uQMHI=$sqeerBSdo(f&j z+}L$LCPTglU8b0LUhwvR^YR{NdO3>AW(u`5Ore`SA<|C2t!1SY1{gqm0xbKRt$Cbq zk}Sf8&!!PSHOEAi1uPZ~GPM<^tl-r=PE5cUE0w9DT8_)FOcK|NPaa zK?g`9@7ABs$_^uPX)c)Nj}J$93Ue~W%XRqQ3%^R6+YKmBExz=QU5ak#`wIIp^uNrM z0q^Zw0QdCB>(F-f03N*c>HdfXYU5zbP*XCr7Do{0kC^A?_P<*N)&$Q#c&rQd2FSjC zM5$2YL8yV97TBAo+X|P;bB?XhtKMqpq{S$6to;`Eh)N5bgC6v@KZB@D@^T6sT2n~P zGf1<)YV6dNt(#zW)(U9~m;7W!E|jg&%HZ9YOC@M(8_!X0)l!L4&K^~;(^D3$qa=1{ za-d|}ajl!3tq3{mODqc~EaJ~g_o*{55I&s7MnF&36Zy1Ju$gneJ#}C0^s6Jm+7cuz z2=6R=Z*%1E#rsMe50Wg>F^P(Eu7`v8aoZ4-guJB@e{3TrBD#uIwOs@se!C(Y9VFk6 zIo#@Imq`&bR%6+_c#o45hkWPb7R+6=e9^Ie{Vg#brrriu8_<@mBk12 z#P$Tq5zFR`jruvBR&~NY@Io>P1zvf^s5;O155G`7^Q11|2CZZGEBF86bYLaSLNlhR z!k6x+me(0+HEvj1Kuk40M*>xHK96Lm`&sU%eFk?Zf*dMlW2gZHVBFK>zl0>=T z&W0clxgXDEXQ{inP88nfmHsjt$Zs6Q#obe*eRl3Aai>cz5SaVsWSm+gUB%De;II7Z zv6E`r{n*U-JOwW9%n#sBsF0UU)cEL9G-0Sxd;qeb#=?d`x4Dz-A!sGp^~LRt15dun zwYlEWs_Tq&6$9_hJtx9jrgsclVw;bbpw2aNnmnU7fgycC=tcLwKe44epYXtg0lPI} zkNN3@zUL8D6y~C^1zPHn{9TE6uVs9xQ{?W|3;|pb z_YOk#Lnj6;Lqw2=IceU~NSc5+=F)m>u^R*Aw^IsHZHsdIay^v8XH+p+(+a=| z|H9ZtbR)_=1;v)H+GK;TBQUA|?Q#cRGXb6gqjZGlOqJwc6uX?f%rvcTFpcM=XkwaDr%lQ$!k7bOM*qRfcCQIbVZKxId}sZ;fza7%JArpxlaE!0 zF1(u6hc(~Ey7k*`R$y+S0_ohZFcYZ|d=7W>*6$+@_TgIvOAxohsL8{KE0t-|nmkvU z?mm*uAjswm;Ds0YiKXSZ%K4x}q1CW{6ZKD~!uH1~VMURjo$!Chq~K^q z&o^ia?H4&u(g(JB+zam|)oN_i@Fj8EN%nKv@!$dZsBaGnj&UU|AOsyW-Nh>a)A@Ni z-UHdu3U7!egBF)0-)Q#T@n&Zws0$=v;T`w3layoRxeMcHvFPEPnTb1j&XH0_2IJ+4 z@oNodSj)$Z{tM3f&zf^yz7jeA0=*D&^TCNbf@$dQqpA%?!VY@$zNB~Saer*LDSfrv z_197DJ*sPmi^xwOthZctjgGxzG&P_QXwn7yFLu7AoVWI;$wf!q{5B^mT zfh~)a=sBgc_@g$|PLQUurWMR`?6=LuV1%E!2&zk5Hncl%PsDq=Yd-=>(D8ufp=$Tv zK0#81p-Kw0@&v6E&PzwQ9fU~MKzYc|h{f|c56+8p`$9VYUS)P)S%Y`EguSVPfv2jyyoOC-xIDvED`OsbQ2iHcGB;d;9tG_J|J`v7Hs}V0K zu7Y|ese+fC`6Q9Oi*tWGK~?x09(A zIaq-4#`nc7A@i<2u{3Q%h(k>g`mR-QUt+6%?lD*DLObo7pXUo}wFzyR8~)^GU+%8N zI=f1G;r$EhH!HLn11V)=s+rdy9A_q60MCgZabbX=1AE;S8T>2h5iOaSAgKB+53f{? z+Mh|`TZ-FfCy}^T=DT>B>;n_8h<%Jq? z$3)~dGe||;nKwuMuJ88`gnm~!_9MVxDr&wJi7@>()~N35S`{HhWXHxYD763*0c5*U z!`lDoFSekOYi19@fj=6O{Bn2Iy!BgvHw;T2gMi4O5I~zu_tuYZe&~zu2HqbQ*>k@$ zbVX{P;Yaz~lCRSqN2Z}9lhZKAN@w=qH#%AU^`HFI6HA-f1l59F;mjPzLzjF zIqo|D21f9qH^n%~XHooQR&?SClT-p7_4PbG>2%Shl;IQP10oJH5=Kh@^r>8~ zdbzw%G{^-q-Xn_7Rs!Q8_O!hFMbhRLqXDAW90$T6&e5hH(9^m?;916{FIcAvuYs`K&y$*8_zp| z{lSDiq=M`QWo9At^JV}S1e}pjJfLRU5zpJDmd-q?$6#1Ruaa!VghF8(sI~B34|Tg~ zcR0`_WtV@{P37B0QeN4YWGKzh8~Qfs!JZ{+{(OpYcI(00QwavbUa#%!f19|AJ43eq z(gVU)Hu*8U~#btw!!9w_!~L?nKKqjOY%RY zF!*EkWSN@a3Fo2ETguK)0Ag1~JY1dH)`lEKqCXM#A$k7U6$egf9J0eA8i2RnN1Ev8 zq=n-6$tf|`PCGxMDZyr9$lV7V%V@o%c2(S6N!T@#AI@MUgqHO3+c=YkPUYq~WHMdCrHeW&ZP^J=4+)j9`K~G zk=)kt30tZLUQr;aM(VmrUwym(p*jZUbn?@d|3?gfmq^-$*mE7rIds_N**xfXWo=s7 z2KWO_S>P$10azYKWHju=1z^^s1e>Ja2shFqsiNr*Iu-q10P1V0% zOXvIV#*M#U<^vk;zMgI)s^Q;X%(&lpoTwe}c(sa#3ACRTc1kT}`AwG&1m3E21z^^l zeU$s_-}2+*NrRc)n35h~RnCsJGH$_L%|Yz8CyIta*+%?d=kz5^h-^+@>hrq>V<)aR z5J5wshcykRf)Kc$oEd zFCt;GGArCSwqCy$_^ES$pi1vO@xVHlR)*LdWi6hSV|vV#)Dn8m{{;!)^A_M(b-6v)`!4psM+JbAoSJN%w0X$?0pAzhTmS$7 literal 0 HcmV?d00001 From f1682c5cb3d050e6a1473699567bd7dd9072dcea Mon Sep 17 00:00:00 2001 From: manuasir Date: Tue, 10 Nov 2020 17:55:13 +0100 Subject: [PATCH 2/4] Including windows events --- TA_Wazuh_CIM_addon/default/props.conf | 48 ++++++------- TA_Wazuh_CIM_addon/default/transforms.conf | 80 ---------------------- 2 files changed, 24 insertions(+), 104 deletions(-) diff --git a/TA_Wazuh_CIM_addon/default/props.conf b/TA_Wazuh_CIM_addon/default/props.conf index f28ebc44c..216215125 100644 --- a/TA_Wazuh_CIM_addon/default/props.conf +++ b/TA_Wazuh_CIM_addon/default/props.conf @@ -1,32 +1,32 @@ ## Fields extraction [wazuh] SHOULD_LINEMERGE = false -KV_MODE = auto -REPORT-kv_for_wazuh_dvc = kv_for_dvc_host,kv_for_dvc_ip -REPORT-kv_for_wazuh = kv_for_default_wazuh,kv_for_splunk_wazuh,component_kv_for_splunk_wazuh,dest_kv_for_wazuh,file_kv_for_splunk_wazuh -REPORT-signature_for_wazuh = signature_id_for_default_wazuh,signature_id_for_splunk_wazuh -REPORT-object_kv_for_default_wazuh_550_552 = object_kv_for_default_wazuh_550_552 -REPORT-object_kv_for_default_wazuh_553 = object_kv_for_default_wazuh_553 -REPORT-object_kv_for_default_wazuh_554 = object_kv_for_default_wazuh_554 -REPORT-object_kv_for_default_wazuh_580_581 = object_kv_for_default_wazuh_580_581 -REPORT-object_kv_for_default_wazuh_591_592 = object_kv_for_default_wazuh_591_592 -REPORT-object_kv_for_default_wazuh_594_596 = object_kv_for_default_wazuh_594_596 -REPORT-object_kv_for_default_wazuh_598 = object_kv_for_default_wazuh_598 -REPORT-object_kv_for_default_wazuh_5303_5304 = object_kv_for_default_wazuh_5303_5304 -REPORT-object_kv_for_splunk_wazuh_550_596 = object_kv_for_splunk_wazuh_550_596 -REPORT-object_kv_for_splunk_wazuh_554_598 = object_kv_for_splunk_wazuh_554_598 +KV_MODE = json ## Alias -FIELDALIAS-dvc_for_wazuh = dvc_host as dvc -FIELDALIAS-severity_id_for_wazuh = crit as severity_id -FIELDALIAS-signature_id_for_wazuh = id as signature_id -FIELDALIAS-signature_for_wazuh = description as signature -FIELDALIAS-subject_for_wazuh = description as subject -FIELDALIAS-src_for_wazuh = src_ip as src -FIELDALIAS-object_path_for_wazuh = file_path as object_path -FIELDALIAS-user_for_wazuh = acct as user -FIELDALIAS-md5_new_for_wazuh = md5_new as file_hash -FIELDALIAS-body_for_wazuh = message as body +FIELDALIAS-severity_id_for_wazuh = rule.level as severity_id +FIELDALIAS-severity_id_for_suricata = data.alert.severity as severity_id +FIELDALIAS-signature_id_for_wazuh = rule.id as signature_id +FIELDALIAS-dest_port_wazuh = data.dest_port as dest_port +FIELDALIAS-wazuh_port_dst = data.dest_port as dest_port +FIELDALIAS-wazuh_port_dst = dest_port as dest + +# Alert model +FIELDALIAS-win_body_for_wazuh = data.win.system.message as body +FIELDALIAS-win_src_for_wazuh = data.win.system.providerName as src +FIELDALIAS-win_type_for_wazuh = data.win.system.channel as type + +# Windows Event Signature model +FIELDALIAS-win_dvc_for_wazuh = data.win.system.eventID as dvc +FIELDALIAS-win_dest_for_wazuh = agent.ip as dest + + +FIELDALIAS-signature_for_wazuh = rule.description as signature +FIELDALIAS-subject_for_wazuh = rule.description as subject +#FIELDALIAS-src_for_wazuh = data.srcip as src +FIELDALIAS-user_for_wazuh = data.dstuser as user +FIELDALIAS-md5_new_for_wazuh = syscheck.sha1_after as file_hash +FIELDALIAS-body_for_wazuh = rule.full_log as body ## Change and Alert CIM Mapping EVAL-object = COALESCE(file_name,host_name,orig_source) diff --git a/TA_Wazuh_CIM_addon/default/transforms.conf b/TA_Wazuh_CIM_addon/default/transforms.conf index 7b5de9b50..07305d6dc 100644 --- a/TA_Wazuh_CIM_addon/default/transforms.conf +++ b/TA_Wazuh_CIM_addon/default/transforms.conf @@ -7,83 +7,3 @@ filename = wazuh_action_lookup.csv [wazuh_object_category_lookup] filename = wazuh_object_category_lookup.csv - -###### wazuh ###### -[kv_for_dvc_host] -REGEX = \s+([^\s]+)\s+wazuh:\s+Alert\s+Level: -FORMAT = dvc_host::$1 - -[kv_for_dvc_ip] -REGEX = \s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+wazuh:\s*Alert\s+Level: -FORMAT = dvc_ip::$1 - -[kv_for_default_wazuh] -REGEX = Alert Level:\s*([^;]+);\s*Rule:\s*([^\s\-]+)\s*\-\s*([^;]+);\s*Location:\s*([^;]+);(?:\s*srcip:\s*([\d\.]+);)?(?:\s*user:\s*([^;]+);)?\s*(.*)$ -FORMAT = crit::$1 id::$2 description::$3 component::$4 src_ip::$5 acct::$6 message::$7 - -[signature_id_for_default_wazuh] -REGEX = Rule:\s*([^\s\-]+) -FORMAT = wazuh_signature_id::$1 - -[signature_id_for_splunk_wazuh] -REGEX = \s+id=(\d+) -FORMAT = wazuh_signature_id::$1 - -[kv_for_splunk_wazuh] -REGEX = \s+component\s*=\s*"([^"]+)",(?:.*\s+file\s*=\s*"([^"]+)",)? -FORMAT = component::$1 file::$2 - -[component_kv_for_splunk_wazuh] -SOURCE_KEY = component -REGEX = ^(?:\(([^\)]+)\))?\s*(?:.+@)?(.+)->([^;]+)$ -FORMAT = dest_dns::$1 dest::$2 orig_source::$3 - -[dest_kv_for_wazuh] -SOURCE_KEY = dest -REGEX = (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) -FORMAT = dest_ip::$1 - -[file_kv_for_splunk_wazuh] -SOURCE_KEY = file -REGEX = (.*(?:\\|/)([^'\\/]+)) -FORMAT = file_path::$1 file_name::$2 - -[object_kv_for_default_wazuh_550_552] -REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*(?:550|551|552).+Current\sMD5:\s*'([^']+)';.+for:\s*'([^']*(?:\\|/)([^'\\/]+))'$ -FORMAT = file_modify_time::$1 md5_new::$2 file_path::$3 file_name::$4 - -[object_kv_for_default_wazuh_553] -REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*553.+File\s+'([^']*(?:\\|/)([^'\\/]+))' -FORMAT = file_modify_time::$1 file_path::$2 file_name::$3 - -[object_kv_for_default_wazuh_554] -REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*554.+file\s+'([^']*(?:\\|/)([^'\\/]+))' -FORMAT = file_create_time::$1 file_path::$2 file_name::$3 - -[object_kv_for_default_wazuh_580_581] -REGEX = \s+wazuh:.+Rule:\s*(?:580|581).+Host:\s*[\d\.]+\s+\(([^\)]+)\) -FORMAT = host_name::$1 - -[object_kv_for_default_wazuh_591_592] -REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*(?:591|592).+\):\s*'([^']*(?:\\|/)([^'\\/]+))'\.$ -FORMAT = file_modify_time::$1 file_path::$2 file_name::$3 - -[object_kv_for_default_wazuh_594_596] -REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*(?:594|595|596).+Current\sMD5:\s*'([^']+)';.+for:\s*'([^']*\\([^'\\]+))'$ -FORMAT = file_modify_time::$1 md5_new::$2 file_path::$3 file_name::$4 - -[object_kv_for_default_wazuh_598] -REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+Rule:\s*598.+file\s+'([^']*\\([^'\\]+))' -FORMAT = file_create_time::$1 file_path::$2 file_name::$3 - -[object_kv_for_default_wazuh_5303_5304] -REGEX = wazuh:.+Rule:\s*(?:5303|5304).+\s+([^:]+)\s*:\s*([^:]+)$ -FORMAT = target_user::$1 src_user::$2 - -[object_kv_for_splunk_wazuh_550_596] -REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+id=(?:550|551|552|594|595|596) -FORMAT = file_modify_time::$1 - -[object_kv_for_splunk_wazuh_554_598] -REGEX = ^(.{1,32})\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+\s+wazuh:.+id=(?:554|598) -FORMAT = file_create_time::$1 From 5d159f65ce0d9bd68adc33e7050d3e9e0605ffe6 Mon Sep 17 00:00:00 2001 From: manuasir Date: Wed, 11 Nov 2020 21:25:50 +0100 Subject: [PATCH 3/4] Added more mapping --- TA_Wazuh_CIM_addon/default/props.conf | 60 +++++++++++++++------------ 1 file changed, 33 insertions(+), 27 deletions(-) diff --git a/TA_Wazuh_CIM_addon/default/props.conf b/TA_Wazuh_CIM_addon/default/props.conf index 216215125..57bd4ebe8 100644 --- a/TA_Wazuh_CIM_addon/default/props.conf +++ b/TA_Wazuh_CIM_addon/default/props.conf @@ -3,43 +3,49 @@ SHOULD_LINEMERGE = false KV_MODE = json -## Alias -FIELDALIAS-severity_id_for_wazuh = rule.level as severity_id -FIELDALIAS-severity_id_for_suricata = data.alert.severity as severity_id -FIELDALIAS-signature_id_for_wazuh = rule.id as signature_id -FIELDALIAS-dest_port_wazuh = data.dest_port as dest_port -FIELDALIAS-wazuh_port_dst = data.dest_port as dest_port -FIELDALIAS-wazuh_port_dst = dest_port as dest - -# Alert model -FIELDALIAS-win_body_for_wazuh = data.win.system.message as body -FIELDALIAS-win_src_for_wazuh = data.win.system.providerName as src -FIELDALIAS-win_type_for_wazuh = data.win.system.channel as type - -# Windows Event Signature model -FIELDALIAS-win_dvc_for_wazuh = data.win.system.eventID as dvc -FIELDALIAS-win_dest_for_wazuh = agent.ip as dest +## Common fields +FIELDALIAS-severity_id = rule.level as severity_id +FIELDALIAS-rule_id = rule.id as id +#FIELDALIAS-severity_id_for_suricata = data.alert.severity as severity_id +FIELDALIAS-signature_id = rule.id as signature_id +FIELDALIAS-dest_port_wazuh = data.dest_port as dest_port +FIELDALIAS-wazuh_dest = agent.ip as dest +FIELDALIAS-wazuh_dest_ip = agent.ip as dest_ip +FIELDALIAS-wazuh_md5_new_for = syscheck.sha1_after as file_hash +FIELDALIAS-wazuh_body_for = rule.full_log as body +FIELDALIAS-wazuh_signature_for = rule.description as signature +FIELDALIAS-wazuh_subject_for = rule.description as subject +FIELDALIAS-wazuh_url = rule.info + +# Windows +FIELDALIAS-wazuh_win_body = data.win.system.message as body +FIELDALIAS-wazuh_win_src = data.win.system.providerName as src +FIELDALIAS-wazuh_win_type = data.win.system.channel as type +FIELDALIAS-wazuh_win_dvc = data.win.system.computer as dvc +FIELDALIAS-wazuh_win_dvc_ip = agent.ip as dvc_ip +FIELDALIAS-wazuh_win_dest = agent.ip as dest +FIELDALIAS-wazuh_win_src_ip = data.win.eventdata.ipAddress as src_ip +FIELDALIAS-wazuh_win_src = data.win.eventdata.ipAddress as src +FIELDALIAS-wazuh_win_nt_app = rule.groups{} as app +FIELDALIAS-wazuh_win_user_for = data.win.eventdata.targetUserName as user +FIELDALIAS-wazuh_win_user_id = data.win.eventdata.targetUserName as user_id +FIELDALIAS-wazuh_win_src_user_id = data.win.eventdata.targetUserName as src_user_id + +FIELDALIAS-wazuh_win_description = rule.description as description -FIELDALIAS-signature_for_wazuh = rule.description as signature -FIELDALIAS-subject_for_wazuh = rule.description as subject -#FIELDALIAS-src_for_wazuh = data.srcip as src -FIELDALIAS-user_for_wazuh = data.dstuser as user -FIELDALIAS-md5_new_for_wazuh = syscheck.sha1_after as file_hash -FIELDALIAS-body_for_wazuh = rule.full_log as body ## Change and Alert CIM Mapping EVAL-object = COALESCE(file_name,host_name,orig_source) EVAL-user = IF(isnotnull(target_user), target_user, user) EVAL-src_user = IF(isnull(src_user), user, src_user) -EVAL-vendor = "Open Source Security" +EVAL-vendor = "Wazuh: The Open Source Security Platform" EVAL-product = "HIDS" -EVAL-vendor_product = "wazuh:HIDS" -EVAL-app = CASE(match(signature_id, "5303|5304|5402"), "su", match(signature_id, "5503|5715|5716"), "ssh", match(signature_id, "18107|18149"), "win:local", match(signature_id, ".*"), "wazuh:HIDS") +EVAL-vendor_product = "wazuh" +#EVAL-app = "wazuh" EVAL-ids_type = "host" - ## Lookup LOOKUP-severity_for_wazuh = wazuh_severities_lookup severity_id OUTPUT severity LOOKUP-action_for_wazuh = wazuh_action_lookup signature_id AS wazuh_signature_id OUTPUT action,status,change_type,change_type AS wazuh_change_type -LOOKUP-object_category_for_wazuh = wazuh_object_category_lookup signature_id OUTPUT object_category +#LOOKUP-object_category_for_wazuh = wazuh_object_category_lookup signature_id OUTPUT object_category From baec1fd300674b2e0271d733b417beb7772a80ec Mon Sep 17 00:00:00 2001 From: manuasir Date: Mon, 14 Dec 2020 19:27:53 +0100 Subject: [PATCH 4/4] Merging mapping into Splunk app for Wazuh --- SplunkAppForWazuh/default/eventtypes.conf | 11 ++++ SplunkAppForWazuh/default/limits.conf | 1 + SplunkAppForWazuh/default/props.conf | 52 ++++++++++++++++++- SplunkAppForWazuh/default/tags.conf | 10 ++++ SplunkAppForWazuh/default/transforms.conf | 12 ++++- .../lookups/wazuh_action_lookup.csv | 25 +++++++++ .../lookups/wazuh_object_category_lookup.csv | 17 ++++++ .../lookups/wazuh_severities_lookup.csv | 17 ++++++ 8 files changed, 142 insertions(+), 3 deletions(-) create mode 100644 SplunkAppForWazuh/default/eventtypes.conf create mode 100644 SplunkAppForWazuh/default/limits.conf create mode 100644 SplunkAppForWazuh/default/tags.conf create mode 100644 SplunkAppForWazuh/lookups/wazuh_action_lookup.csv create mode 100644 SplunkAppForWazuh/lookups/wazuh_object_category_lookup.csv create mode 100644 SplunkAppForWazuh/lookups/wazuh_severities_lookup.csv diff --git a/SplunkAppForWazuh/default/eventtypes.conf b/SplunkAppForWazuh/default/eventtypes.conf new file mode 100644 index 000000000..c81d74298 --- /dev/null +++ b/SplunkAppForWazuh/default/eventtypes.conf @@ -0,0 +1,11 @@ +[wazuh_alert] +search = index=wazuh +#tags = alert + +[wazuh_file_integrity_monitoring] +search = index=wazuh wazuh_change_type=filesystem +#tags = endpoint change + +[wazuh_authentication] +search = index=wazuh wazuh_change_type=authentication +#tags = authentication default diff --git a/SplunkAppForWazuh/default/limits.conf b/SplunkAppForWazuh/default/limits.conf new file mode 100644 index 000000000..a1e8bc70d --- /dev/null +++ b/SplunkAppForWazuh/default/limits.conf @@ -0,0 +1 @@ +indexed_kv_limit = 1000 \ No newline at end of file diff --git a/SplunkAppForWazuh/default/props.conf b/SplunkAppForWazuh/default/props.conf index bce9b0844..c49e291dc 100644 --- a/SplunkAppForWazuh/default/props.conf +++ b/SplunkAppForWazuh/default/props.conf @@ -1,4 +1,52 @@ [wazuh] INDEXED_EXTRACTIONS = JSON -KV_MODE = none -AUTO_KV_JSON = false \ No newline at end of file +KV_MODE = json +SHOULD_LINEMERGE = false + + +## Common fields +FIELDALIAS-severity_id = rule.level as severity_id +FIELDALIAS-rule_id = rule.id as id + +#FIELDALIAS-severity_id_for_suricata = data.alert.severity as severity_id +FIELDALIAS-signature_id = rule.id as signature_id +FIELDALIAS-dest_port_wazuh = data.dest_port as dest_port +FIELDALIAS-wazuh_dest = agent.ip as dest +FIELDALIAS-wazuh_dest_ip = agent.ip as dest_ip +FIELDALIAS-wazuh_md5_new_for = syscheck.sha1_after as file_hash +FIELDALIAS-wazuh_body_for = rule.full_log as body +FIELDALIAS-wazuh_signature_for = rule.description as signature +FIELDALIAS-wazuh_subject_for = rule.description as subject +FIELDALIAS-wazuh_url = rule.info + +# Windows +FIELDALIAS-wazuh_win_body = data.win.system.message as body +FIELDALIAS-wazuh_win_src = data.win.system.providerName as src +FIELDALIAS-wazuh_win_type = data.win.system.channel as type +FIELDALIAS-wazuh_win_dvc = data.win.system.computer as dvc +FIELDALIAS-wazuh_win_dvc_ip = agent.ip as dvc_ip +FIELDALIAS-wazuh_win_dest = agent.ip as dest +FIELDALIAS-wazuh_win_src_ip = data.win.eventdata.ipAddress as src_ip +FIELDALIAS-wazuh_win_src = data.win.eventdata.ipAddress as src +FIELDALIAS-wazuh_win_nt_app = rule.groups{} as app +FIELDALIAS-wazuh_win_user_for = data.win.eventdata.targetUserName as user +FIELDALIAS-wazuh_win_user_id = data.win.eventdata.targetUserName as user_id +FIELDALIAS-wazuh_win_src_user_id = data.win.eventdata.targetUserName as src_user_id + +FIELDALIAS-wazuh_win_description = rule.description as description + + +## Change and Alert CIM Mapping +EVAL-object = COALESCE(file_name,host_name,orig_source) +EVAL-user = IF(isnotnull(target_user), target_user, user) +EVAL-src_user = IF(isnull(src_user), user, src_user) +EVAL-vendor = "Wazuh: The Open Source Security Platform" +EVAL-product = "HIDS" +EVAL-vendor_product = "wazuh" +#EVAL-app = "wazuh" +EVAL-ids_type = "host" + +## Lookup +LOOKUP-severity_for_wazuh = wazuh_severities_lookup severity_id OUTPUT severity +LOOKUP-action_for_wazuh = wazuh_action_lookup signature_id AS wazuh_signature_id OUTPUT action,status,change_type,change_type AS wazuh_change_type +#LOOKUP-object_category_for_wazuh = wazuh_object_category_lookup signature_id OUTPUT object_category diff --git a/SplunkAppForWazuh/default/tags.conf b/SplunkAppForWazuh/default/tags.conf new file mode 100644 index 000000000..751bda0c9 --- /dev/null +++ b/SplunkAppForWazuh/default/tags.conf @@ -0,0 +1,10 @@ +[eventtype=wazuh_alert] +alert = enabled + +[eventtype=wazuh_file_integrity_monitoring] +endpoint = enabled +change = enabled + +[eventtype=wazuh_authentication] +authentication = enabled +default = enabled diff --git a/SplunkAppForWazuh/default/transforms.conf b/SplunkAppForWazuh/default/transforms.conf index f28f42593..e32e0b4b1 100644 --- a/SplunkAppForWazuh/default/transforms.conf +++ b/SplunkAppForWazuh/default/transforms.conf @@ -10,4 +10,14 @@ fields_list = _key, id, url, port, user, password, filter [jobs_lookup] external_type = kvstore collection = jobs -fields_list = _key, job, added, exec_time \ No newline at end of file +fields_list = _key, job, added, exec_time + +###### Lookups ###### +[wazuh_severities_lookup] +filename = wazuh_severities_lookup.csv + +[wazuh_action_lookup] +filename = wazuh_action_lookup.csv + +[wazuh_object_category_lookup] +filename = wazuh_object_category_lookup.csv diff --git a/SplunkAppForWazuh/lookups/wazuh_action_lookup.csv b/SplunkAppForWazuh/lookups/wazuh_action_lookup.csv new file mode 100644 index 000000000..722c44ddd --- /dev/null +++ b/SplunkAppForWazuh/lookups/wazuh_action_lookup.csv @@ -0,0 +1,25 @@ +signature_id,action,status,change_type +550,modified,success,filesystem +551,modified,success,filesystem +552,modified,success,filesystem +553,deleted,success,filesystem +554,created,success,filesystem +555,modified,success,filesystem +580,modified,success,filesystem +581,created,success,filesystem +591,modified,success,filesystem +592,modified,success,filesystem +593,deleted,success,filesystem +594,modified,success,filesystem +595,modified,success,filesystem +596,modified,success,filesystem +597,deleted,success,filesystem +598,created,success,filesystem +5303,success,,authentication +5304,success,,authentication +5402,success,,authentication +5503,failure,,authentication +5715,success,,authentication +5716,failure,,authentication +18107,success,,authentication +18149,success,,authentication diff --git a/SplunkAppForWazuh/lookups/wazuh_object_category_lookup.csv b/SplunkAppForWazuh/lookups/wazuh_object_category_lookup.csv new file mode 100644 index 000000000..ca046ca3f --- /dev/null +++ b/SplunkAppForWazuh/lookups/wazuh_object_category_lookup.csv @@ -0,0 +1,17 @@ +signature_id,object_category +550,file +551,file +552,file +553,file +554,file +555,host_info +580,host_info +581,host_info +591,file +592,file +593,win_event_log +594,registry +595,registry +596,registry +597,registry +598,registry diff --git a/SplunkAppForWazuh/lookups/wazuh_severities_lookup.csv b/SplunkAppForWazuh/lookups/wazuh_severities_lookup.csv new file mode 100644 index 000000000..234084ffe --- /dev/null +++ b/SplunkAppForWazuh/lookups/wazuh_severities_lookup.csv @@ -0,0 +1,17 @@ +severity_id,severity +0,informational +1,informational +2,informational +3,informational +4,low +5,low +6,low +7,low +8,low +9,medium +10,medium +11,medium +12,high +13,high +14,high +15,critical