Amazon Security Lake integration - Use Security Finding class

[AlexRuiz7]

Description

Related issue: #128

The Detection Finding class has proven to be unsupported by Amazon Security Lake (at least yet), as per the conclusions on #213.

Initially, we thought about using the Security Finding class. Refer to #145 and https://github.com/wazuh/internal-devel-requests/issues/699#issuecomment-1927242316 for more information about this mapping.

Tasks

• [x] Map Wazuh Events to OCSF Security Finding class.
• [x] Make the integration use this class.

Implementation restrictions

• Extend the current code (keeping the existing mapping to the Detection Finding class), so we can upgrade in the future (the Security Finding class is deprecated).
• By default, the integration will use the Security Finding class, but the class to use can be defined using an environment variable.

[AlexRuiz7]

Successfully mapped events to the Security Finding class.

+---------------+------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------------+----------------+------------------+-------------+---------+-------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------+
|   activity_id | analytic                                                                                             | attacks                                                                                                     | category_name   |   category_uid | class_name       |   class_uid |   count | message                                         | finding                                                                                                                        | metadata                                                                                                                                                | raw_data                                                                                                     | resources                                                            |   risk_score |   severity_id |   state_id |   status_id |       time |   type_uid | unmapped                                                                                                            |
|---------------+------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------------+----------------+------------------+-------------+---------+-------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------|
|             1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       8 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'.                                             | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            7 |             2 |          1 |          99 | 1714394401 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80784'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |      16 | Audit: Command: /usr/sbin/consoletype           | {'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                              | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             1 |          1 |          99 | 1714394411 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | {'category': 'ciscat', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '4454'}                   | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       0 | Sample alert 4                                  | {'title': 'Sample alert 4', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                              | [{'name': 'RHEL7', 'uid': '001'}]                                    |            2 |             1 |          1 |          99 | 1714394406 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       4 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'.                                    | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             2 |          1 |          99 | 1714394456 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80791'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/crond                 | {'title': 'Audit: Command: /usr/sbin/crond', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                 | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                              | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             1 |          1 |          99 | 1714394446 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | {'category': 'audit, audit_command', 'name': 'N/A', 'type': 'Rule', 'type_id': 1, 'uid': '80790'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       1 | Audit: Command: /usr/sbin/bash                  | {'title': 'Audit: Command: /usr/sbin/bash', 'types': array(['N/A'], dtype=object), 'uid': '1580123327.49031'}                  | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} |                                                                                                              | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             1 |          1 |          99 | 1714394451 |     200101 | {'data_sources': array(['', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}                       |
|             1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       8 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'.                                       | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             2 |          1 |          99 | 1714394461 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
|             1 | {'category': 'wazuh, rootcheck', 'name': 'rootcheck', 'type': 'Rule', 'type_id': 1, 'uid': '510'}    | [{'tactic': {'name': 'N/A', 'uid': 'N/A'}, 'technique': {'name': 'N/A', 'uid': 'N/A'}, 'version': 'v13.1'}] | Findings        |              2 | Security Finding |        2001 |       7 | Host-based anomaly detection event (rootcheck). | {'title': 'Host-based anomaly detection event (rootcheck).', 'types': array(['log'], dtype=object), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic). | [{'name': 'Debian', 'uid': '007'}]                                   |            7 |             2 |          1 |          99 | 1714394649 |     200101 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object), 'nist': array([], dtype=object)}              |
+---------------+------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------------+----------------+------------------+-------------+---------+-------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+------------+-------------+------------+------------+---------------------------------------------------------------------------------------------------------------------+

(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ parquet-tools show ~/Downloads/ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20240429_252e485ff62a480f98f8d13bb085c55e.parquet > parquet.txt
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ rm -rf parquet
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ mkdir parquet
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ cp ~/Downloads/ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20240429_252e485ff62a480f98f8d13bb085c55e.parquet parquet/
(.venv) @alex-GL66 ➜ amazon-security-lake-ocsf-validation git:(main) ✗ python validate.py -i parquet/

ATTEMPTING TO VALIDATE FILE: ext_wazuh_region=us-east-1_accountId=111111111111_eventDay=20240429_252e485ff62a480f98f8d13bb085c55e.parquet

VALID OCSF.