AlexRuiz7
commented
2 months ago Evidence
[
{
"activity_id": 1,
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"count": 17,
"message": "Audit: Command: /usr/sbin/sh",
"finding_info": {
"analytic": {
"category": "audit, audit_command",
"name": "N/A",
"type_id": 1,
"uid": "80790"
},
"attacks": {
"tactic": {
"name": "N/A",
"uid": "N/A"
},
"technique": {
"name": "N/A",
"uid": "N/A"
},
"version": "v13.1"
},
"title": "Audit: Command: /usr/sbin/sh",
"types": [
"N/A"
],
"uid": "1580123327.49031"
},
"metadata": {
"log_name": "Security events",
"log_provider": "Wazuh",
"product": {
"name": "Wazuh",
"lang": "en",
"vendor_name": "Wazuh, Inc,."
},
"version": "1.1.0"
},
"raw_data": "",
"resources": [
{
"name": "Ubuntu",
"uid": "004"
}
],
"risk_score": 3,
"severity_id": 1,
"status_id": 99,
"time": "2024-04-26T14:13:10.039+0000",
"type_uid": 200401,
"unmapped": {
"data_sources": [
"",
"wazuh-manager"
],
"nist": []
}
},
{
"activity_id": 1,
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"count": 0,
"message": "Sample alert 1",
"finding_info": {
"analytic": {
"category": "ciscat",
"name": "N/A",
"type_id": 1,
"uid": "4746"
},
"attacks": {
"tactic": {
"name": "N/A",
"uid": "N/A"
},
"technique": {
"name": "N/A",
"uid": "N/A"
},
"version": "v13.1"
},
"title": "Sample alert 1",
"types": [
"N/A"
],
"uid": "1580123327.49031"
},
"metadata": {
"log_name": "Security events",
"log_provider": "Wazuh",
"product": {
"name": "Wazuh",
"lang": "en",
"vendor_name": "Wazuh, Inc,."
},
"version": "1.1.0"
},
"raw_data": "",
"resources": [
{
"name": "Windows",
"uid": "006"
}
],
"risk_score": 10,
"severity_id": 3,
"status_id": 99,
"time": "2024-04-26T14:13:25.199+0000",
"type_uid": 200401,
"unmapped": {
"data_sources": [
"",
"wazuh-manager"
],
"nist": []
}
},
{
"activity_id": 1,
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"count": 11,
"message": "Audit: Command: /usr/sbin/id",
"finding_info": {
"analytic": {
"category": "audit, audit_command",
"name": "N/A",
"type_id": 1,
"uid": "80784"
},
"attacks": {
"tactic": {
"name": "N/A",
"uid": "N/A"
},
"technique": {
"name": "N/A",
"uid": "N/A"
},
"version": "v13.1"
},
"title": "Audit: Command: /usr/sbin/id",
"types": [
"N/A"
],
"uid": "1580123327.49031"
},
"metadata": {
"log_name": "Security events",
"log_provider": "Wazuh",
"product": {
"name": "Wazuh",
"lang": "en",
"vendor_name": "Wazuh, Inc,."
},
"version": "1.1.0"
},
"raw_data": "",
"resources": [
{
"name": "Centos",
"uid": "005"
}
],
"risk_score": 3,
"severity_id": 1,
"status_id": 99,
"time": "2024-04-26T14:13:03.845+0000",
"type_uid": 200401,
"unmapped": {
"data_sources": [
"",
"wazuh-manager"
],
"nist": []
}
},
{
"activity_id": 1,
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"count": 17,
"message": "Audit: Command: /usr/sbin/sh",
"finding_info": {
"analytic": {
"category": "audit, audit_command",
"name": "N/A",
"type_id": 1,
"uid": "80790"
},
"attacks": {
"tactic": {
"name": "N/A",
"uid": "N/A"
},
"technique": {
"name": "N/A",
"uid": "N/A"
},
"version": "v13.1"
},
"title": "Audit: Command: /usr/sbin/sh",
"types": [
"N/A"
],
"uid": "1580123327.49031"
},
"metadata": {
"log_name": "Security events",
"log_provider": "Wazuh",
"product": {
"name": "Wazuh",
"lang": "en",
"vendor_name": "Wazuh, Inc,."
},
"version": "1.1.0"
},
"raw_data": "",
"resources": [
{
"name": "RHEL7",
"uid": "001"
}
],
"risk_score": 3,
"severity_id": 1,
"status_id": 99,
"time": "2024-04-26T14:13:20.151+0000",
"type_uid": 200401,
"unmapped": {
"data_sources": [
"",
"wazuh-manager"
],
"nist": []
}
},
{
"activity_id": 1,
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"count": 3,
"message": "Audit: Command: /usr/sbin/ssh",
"finding_info": {
"analytic": {
"category": "audit, audit_command",
"name": "N/A",
"type_id": 1,
"uid": "80791"
},
"attacks": {
"tactic": {
"name": "N/A",
"uid": "N/A"
},
"technique": {
"name": "N/A",
"uid": "N/A"
},
"version": "v13.1"
},
"title": "Audit: Command: /usr/sbin/ssh",
"types": [
"N/A"
],
"uid": "1580123327.49031"
},
"metadata": {
"log_name": "Security events",
"log_provider": "Wazuh",
"product": {
"name": "Wazuh",
"lang": "en",
"vendor_name": "Wazuh, Inc,."
},
"version": "1.1.0"
},
"raw_data": "",
"resources": [
{
"name": "RHEL7",
"uid": "001"
}
],
"risk_score": 3,
"severity_id": 1,
"status_id": 99,
"time": "2024-04-26T14:13:15.111+0000",
"type_uid": 200401,
"unmapped": {
"data_sources": [
"",
"wazuh-manager"
],
"nist": []
}
}
]
Description
This PR adds the ability to save intermediate events in OCSF format to an S3 bucket for the Amazon Security Lake integration.
Issues Resolved
Closes #216
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.