Closed 0xjiggleandwiggle closed 4 years ago
vicferpoy
commented
4 years ago Hello @msalekmouad .
You can take a look at our API reference documentation: https://documentation.wazuh.com/3.12/user-manual/api/reference.html
There you will find all our API endpoints well documented and with examples.
As for the ones you asked for:
I hope this helps. If you have any other doubt, don't hesitate to ask.
Regards, Víctor.
vicferpoy
commented
4 years ago Hello again @msalekmouad .
Let me apologize for my last response. I missunderstood you.
The Wazuh API does not have any endpoint to do this since alerts are directly indexed into ElasticSearch. To achieve this, you would need to use the ElasticSearch API. You could use Kibana and the Wazuh User Interface (WUI) to get this information manually, but I believe you want to automate this process.
To get these alerts using the ElasticSearch API, you must use the _search endpoint like this (keeping in mind that I have ES in the port 9200):
curl -X GET "<ELASTIC_IP>:9200/wazuh-alerts*/_search"That would get you every alert. If you want alerts from a certain day:
curl -X GET "<ELASTIC_IP>:9200/wazuh-alerts-3.x-2020.06.03/_search"You can also add queries to filter results. This would be helpful to get the syscheck events you asked for:
curl -X GET "<ELASTIC_IP>:9200/wazuh-alerts*/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query" : {
"term" : { "rule.groups" : "syscheck" }
}
}
'You can check more about these API calls here: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html
Let us know if this helps and don't hesitate to ask if you have any other doubt.
Regards, Víctor.
0xjiggleandwiggle
commented
4 years ago Hey , thank you very much thanks I really appreciate , I. Have end of year school project and I really need intrusion detection system so but I 'eed to create my custom web interface also can you please tell me can wazuh detect attacks ? And what attack I can test when I will be talking in front the jury. Thanks
Get Outlook for Androidhttps://aka.ms/ghei36
From: Víctor Fernández notifications@github.com Sent: Wednesday, June 3, 2020 11:31:01 AM To: wazuh/wazuh-api wazuh-api@noreply.github.com Cc: Mouad Msalek mouadmsalek@outlook.com; Mention mention@noreply.github.com Subject: Re: [wazuh/wazuh-api] How can i get alerts from API or other method if it possible (#489)
Hello again @msalekmouadhttps://github.com/msalekmouad .
Let me apologize for my last response. I missunderstood you.
The Wazuh API does not have any endpoint to do this since alerts are directly indexed into ElasticSearch. To achieve this, you would need to use the ElasticSearch API. You could use Kibana and the Wazuh User Interface (WUI) to get this information manually, but I believe you want to automate this process.
To get these alerts using the ElasticSearch API, you must use the _search endpoint like this (keeping in mind that I have ES in the port 9200):
curl -X GET "
That would get you every alert. If you want alerts from a certain day:
curl -X GET "
You can also add queries to filter results. This would be helpful to get the syscheck events you asked for:
curl -X GET "
{
"query" : {
"term" : { "rule.groups" : "syscheck" }
}}
'
You can check more about these API calls here: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html
Let us know if this helps and don't hesitate to ask if you have any other doubt.
Regards, Víctor.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/wazuh/wazuh-api/issues/489#issuecomment-638108163, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKAWCME5P2SM4L63UYP5CWDRUYQ6LANCNFSM4NOVEEFQ.
vicferpoy
commented
4 years ago Hello @msalekmouad ,
Wazuh agents scan the monitored systems looking for malware, rootkits and suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
In addition to agent capabilities, the server component uses a signature-based approach to intrusion detection, using its regular expression engine to analyze collected log data and look for indicators of compromise.
You can use our documentation and blogs to learn more about Wazuh intrusion detection. Here you can find some examples:
I believe these links contain the information you are looking for.
Kind regards, Víctor.
0xjiggleandwiggle
commented
4 years ago Hello, Thank you very much.
Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10
From: Víctor Fernández notifications@github.com Sent: Thursday, June 4, 2020 2:58:52 PM To: wazuh/wazuh-api wazuh-api@noreply.github.com Cc: Mouad Msalek mouadmsalek@outlook.com; Mention mention@noreply.github.com Subject: Re: [wazuh/wazuh-api] How can i get alerts from API or other method if it possible (#489)
Hello @msalekmouadhttps://github.com/msalekmouad ,
Wazuh agents scan the monitored systems looking for malware, rootkits and suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
In addition to agent capabilities, the server component uses a signature-based approach to intrusion detection, using its regular expression engine to analyze collected log data and look for indicators of compromise.
You can use our documentation and blogs to learn more about Wazuh intrusion detection. Here you can find some examples:
I believe these links contain the information you are looking for.
Kind regards, Víctor.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/wazuh/wazuh-api/issues/489#issuecomment-638866981, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKAWCMC3G4AGM326UZ7Y3I3RU6SBZANCNFSM4NOVEEFQ.
jasgggit
commented
7 months ago Thank you !! @vicferpoy
owais-963
commented
7 months ago @vicferpoy
curl -X GET "<ELASTIC_IP>:9200/wazuh-alerts*/_search?pretty" -H 'Content-Type: application/json' -d'
{
"query" : {
"term" : { "rule.groups" : "syscheck" }
}
}
'this endpoint returns only system logs agent ID 000 I am looking for security events for all agents of a particular group. can you please help me with how can I achieve this?
Hello I'm really looking for how to get alerts , security events or file integrity events from API or socket or anithing i can use in other web interface