Open safiuddinr opened 3 weeks ago
This is an example of what it would look lik ein ossec.conf for an active response configuration:
<ossec_config>
<active-response>
<command>slack-notify</command>
<location>server</location>
<rules_id>100050</rules_id>
<timeout>0</timeout>
</active-response>
<command>
<name>slack-notify</name>
<executable>slack-notify.sh</executable>
<expect></expect>
<extra_args>https://hooks.slack.com/services/YOUR_WEBHOOK_URL_HERE</extra_args>
<timeout_allowed>no</timeout_allowed>
</command>
</ossec_config>
Based on a custom rule like so:
<group name="custom_rules,">
<rule id="100050" level="12">
<if_sid>5710</if_sid>
<match>^Failed to authenticate|^Authentication failed</match>
<description>Multiple failed logins in a short time period.</description>
<mitre>
<id>T1110</id>
</mitre>
</rule>
</group>
So any time our custom rule 100050 triggers --- the slack notify script will trigger. Custom rule would match more along the lines of whatever the script is loading into the log file we are tracking. This is just a generic example. Fill in as needed
We need to provide users the ability to edit the local rules xml file. For more than just this purpose. So, thought should be put into where we mount this volume.
This research is for a solution in configuring wazuh alerts to notify users on ELASTIC alerts which is normally a paid feature from elastic.
If ElastAlert is not an option
Elastic makes you pay for alerts. Especially for detection alerts based on rules we want to be able to alert users to these detections.
There is an API you can call to pull down any detections. So utilizing this EXAMPLE script (change as needed):
We could run this job in systemd or as a cron. This example checks the detections api for any alerts within the last 5 minutes.
One of the big benefits of wazuh is its customizeable to monitor ANY file you want to monitor. So we can configure the ossec to monitor this specific file we are outputting to:
Then you could create a wazuh rule if it detects anything new in this logfile create an alert. You could then create an active response for when alerts are detected in this logfile. ie. slack message, email, etc.