Closed AlexRuiz7 closed 5 months ago
Successfully mapped events to the Security Finding class.
+---------------+------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------------+----------------+------------------+-------------+---------+-------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------+
| activity_id | analytic | attacks | category_name | category_uid | class_name | class_uid | count | message | finding | metadata | raw_data | resources | risk_score | severity_id | state_id | status_id | time | type_uid | unmapped |
|---------------+------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------------+----------------+------------------+-------------+---------+-------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------|
| 1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'} | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings | 2 | Security Finding | 2001 | 8 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'. | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] | 7 | 2 | 1 | 99 | 1714394401 | 200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'} | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings | 2 | Security Finding | 2001 | 16 | Audit: Command: /usr/sbin/consoletype | {'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Debian', 'uid': '007'}] | 3 | 1 | 1 | 99 | 1714394411 | 200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '4454'} | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings | 2 | Security Finding | 2001 | 0 | Sample alert 4 | {'title': 'Sample alert 4', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'RHEL7', 'uid': '001'}] | 2 | 1 | 1 | 99 | 1714394406 | 200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'} | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings | 2 | Security Finding | 2001 | 4 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'. | [{'name': 'Amazon', 'uid': '002'}] | 7 | 2 | 1 | 99 | 1714394456 | 200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'} | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings | 2 | Security Finding | 2001 | 1 | Audit: Command: /usr/sbin/crond | {'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Amazon', 'uid': '002'}] | 3 | 1 | 1 | 99 | 1714394446 | 200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'} | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings | 2 | Security Finding | 2001 | 1 | Audit: Command: /usr/sbin/bash | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | | [{'name': 'Centos', 'uid': '005'}] | 3 | 1 | 1 | 99 | 1714394451 | 200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'} | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings | 2 | Security Finding | 2001 | 8 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'. | [{'name': 'RHEL7', 'uid': '001'}] | 7 | 2 | 1 | 99 | 1714394461 | 200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
| 1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'} | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings | 2 | Security Finding | 2001 | 7 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic). | [{'name': 'Debian', 'uid': '007'}] | 7 | 2 | 1 | 99 | 1714394649 | 200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)} |
+---------------+------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------------+----------------+------------------+-------------+---------+-------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------+
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ parquet-tools show ~/Downloads/ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20240429_252e485ff62a480f98f8d13bb085c55e.parquet > parquet.txt
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ rm -rf parquet
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ mkdir parquet
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ cp ~/Downloads/ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20240429_252e485ff62a480f98f8d13bb085c55e.parquet parquet/
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ python validate.py -i parquet/
ATTEMPTING TO VALIDATE FILE: ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20240429_252e485ff62a480f98f8d13bb085c55e.parquet
VALID OCSF.
Description
Related issue: #128
The Detection Finding class has proven to be unsupported by Amazon Security Lake (at least yet), as per the conclusions on #213.
Initially, we thought about using the Security Finding class. Refer to #145 and https://github.com/wazuh/internal-devel-requests/issues/699#issuecomment-1927242316 for more information about this mapping.
Tasks
Implementation restrictions