E2E Research: FIM - Githubissues

juliamagan commented 2 years ago

Description

In this issue, we will study the FIM test case described here. All the info obtained will be used in the future for the design and implementation of E2E tests.

Tasks

[x] (T1): Environment provision
[x] (T2): Test case configuration
[x] (T3): Generate events
[x] (T4): Check alerts

Conclusion

We needed one manager and two agents (Linux and Windows). However, it could be done with one manager and one agent.

juliamagan commented 2 years ago

Task 1: Environment provision 🟢

I've followed the Quickstart guide and set up an all-in-one environment. For the agent, we have followed this guide. We have installed a Windows agent, too.

Install type	OS	CPU	RAM
All-in-one	CentOS 8	2	4096
Agent	CentOS 8	2	1024
Agent	Windows	2	4096

juliamagan commented 2 years ago

Task 2: Test case configuration 🟢

Linux agent:

We have created /home/vagrant/test directory and added the following configuration in /var/ossec/etc/ossec.conf:
```
<directories check_all="yes" whodata="yes">/home/vagrant/test</directories>
```
Windows agent:

We have created C:\Test directory and added the following configuration in C:\Program Files (x86)\ossec-agent\ossec.conf:
```
<directories check_all="yes" report_changes="yes" whodata="yes">C:\\Test</directories>
```

Finally, we restarted the agents to apply the configuration.

juliamagan commented 2 years ago

Task 3: Generate events 🟢

Linux agent:

Created a file:
```
touch test/test.txt
```
Modified a file:
```
echo "Testing" > test/test.txt
```
Deleted a file:
```
rm test/test.txt
```

Windows agent: We have also created, modified and deleted a file in the monitored directory.

juliamagan commented 2 years ago

Task 4: Check alerts 🟢

Linux agent:
- Wazuh dashboard
Wazuh indexer API
- Query: ``` curl --insecure -XGET -u 'USER:PASS' https://localhost:9200/wazuh-alerts-4.x-*/_search?pretty -H "Content-Type:application/json" -d '{"query":{"term":{"syscheck.path": "/home/vagrant/test/test.txt"}}}' ``` - Response: ``` { "took" : 5, "timed_out" : false, "_shards" : { "total" : 3, "successful" : 3, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 3, "relation" : "eq" }, "max_score" : 0.13353139, "hits" : [ { "_index" : "wazuh-alerts-4.x-2022.05.10", "_type" : "_doc", "_id" : "pcporoABM_p2Aq5w3w2B", "_score" : 0.13353139, "_source" : { "syscheck" : { "size_before" : "0", "uname_after" : "root", "mtime_after" : "2022-05-10T14:39:05", "size_after" : "8", "gid_after" : "0", "md5_before" : "d41d8cd98f00b204e9800998ecf8427e", "sha256_before" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "mtime_before" : "2022-05-10T14:38:36", "mode" : "whodata", "path" : "/home/vagrant/test/test.txt", "sha1_after" : "e9f9b899cc7161e1eb0b1e4c042fdfabccf7958c", "changed_attributes" : [ "size", "mtime", "md5", "sha1", "sha256" ], "gname_after" : "root", "audit" : { "process" : { "parent_name" : "/usr/bin/su", "cwd" : "/home/vagrant", "parent_cwd" : "/", "name" : "/usr/bin/bash", "id" : "3883", "ppid" : "3882" }, "login_user" : { "name" : "vagrant", "id" : "1000" }, "effective_user" : { "name" : "root", "id" : "0" }, "user" : { "name" : "root", "id" : "0" }, "group" : { "name" : "root", "id" : "0" } }, "uid_after" : "0", "perm_after" : "rw-r--r--", "event" : "modified", "md5_after" : "ec4d59b2732f2f153240a8ff746282a6", "sha1_before" : "da39a3ee5e6b4b0d3255bfef95601890afd80709", "sha256_after" : "41920b348e0c6ff2ef9b7e3ee9308726aa5250fa717883e073ff6a936a9325a4", "inode_after" : 25675706 }, "agent" : { "ip" : "10.0.2.15", "name" : "centos_agent", "id" : "001" }, "manager" : { "name" : "localhost.localdomain" }, "rule" : { "mail" : false, "level" : 7, "pci_dss" : [ "11.5" ], "hipaa" : [ "164.312.c.1", "164.312.c.2" ], "tsc" : [ "PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description" : "Integrity checksum changed.", "groups" : [ "ossec", "syscheck", "syscheck_entry_modified", "syscheck_file" ], "nist_800_53" : [ "SI.7" ], "gdpr" : [ "II_5.1.f" ], "firedtimes" : 1, "mitre" : { "technique" : [ "Stored Data Manipulation" ], "id" : [ "T1565.001" ], "tactic" : [ "Impact" ] }, "id" : "550", "gpg13" : [ "4.11" ] }, "decoder" : { "name" : "syscheck_integrity_changed" }, "full_log" : "File '/home/vagrant/test/test.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '8'\nOld modification time was: '1652193516', now it is '1652193545'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : 'ec4d59b2732f2f153240a8ff746282a6'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'e9f9b899cc7161e1eb0b1e4c042fdfabccf7958c'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '41920b348e0c6ff2ef9b7e3ee9308726aa5250fa717883e073ff6a936a9325a4'\n", "input" : { "type" : "log" }, "@timestamp" : "2022-05-10T14:39:05.976Z", "location" : "syscheck", "id" : "1652193545.1017453", "timestamp" : "2022-05-10T14:39:05.976+0000" } }, { "_index" : "wazuh-alerts-4.x-2022.05.10", "_type" : "_doc", "_id" : "pspproABM_p2Aq5wQQ0p", "_score" : 0.13353139, "_source" : { "syscheck" : { "uname_after" : "root", "mtime_after" : "2022-05-10T14:39:05", "size_after" : "8", "gid_after" : "0", "mode" : "whodata", "path" : "/home/vagrant/test/test.txt", "sha1_after" : "e9f9b899cc7161e1eb0b1e4c042fdfabccf7958c", "gname_after" : "root", "audit" : { "process" : { "parent_name" : "/usr/bin/bash", "cwd" : "/home/vagrant", "parent_cwd" : "/home/vagrant", "name" : "/usr/bin/rm", "id" : "26871", "ppid" : "3883" }, "login_user" : { "name" : "vagrant", "id" : "1000" }, "effective_user" : { "name" : "root", "id" : "0" }, "user" : { "name" : "root", "id" : "0" }, "group" : { "name" : "root", "id" : "0" } }, "uid_after" : "0", "perm_after" : "rw-r--r--", "event" : "deleted", "md5_after" : "ec4d59b2732f2f153240a8ff746282a6", "sha256_after" : "41920b348e0c6ff2ef9b7e3ee9308726aa5250fa717883e073ff6a936a9325a4", "inode_after" : 25675706 }, "agent" : { "ip" : "10.0.2.15", "name" : "centos_agent", "id" : "001" }, "manager" : { "name" : "localhost.localdomain" }, "rule" : { "mail" : false, "level" : 7, "pci_dss" : [ "11.5" ], "hipaa" : [ "164.312.c.1", "164.312.c.2" ], "tsc" : [ "PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description" : "File deleted.", "groups" : [ "ossec", "syscheck", "syscheck_entry_deleted", "syscheck_file" ], "nist_800_53" : [ "SI.7" ], "gdpr" : [ "II_5.1.f" ], "firedtimes" : 1, "mitre" : { "technique" : [ "File Deletion", "Data Destruction" ], "id" : [ "T1070.004", "T1485" ], "tactic" : [ "Defense Evasion", "Impact" ] }, "id" : "553", "gpg13" : [ "4.11" ] }, "decoder" : { "name" : "syscheck_deleted" }, "full_log" : "File '/home/vagrant/test/test.txt' deleted\nMode: whodata\n", "input" : { "type" : "log" }, "@timestamp" : "2022-05-10T14:39:27.900Z", "location" : "syscheck", "id" : "1652193567.1019027", "timestamp" : "2022-05-10T14:39:27.900+0000" } }, { "_index" : "wazuh-alerts-4.x-2022.05.10", "_type" : "_doc", "_id" : "pMporoABM_p2Aq5wfQ2D", "_score" : 0.13353139, "_source" : { "syscheck" : { "uname_after" : "root", "mtime_after" : "2022-05-10T14:38:36", "size_after" : "0", "gid_after" : "0", "mode" : "whodata", "path" : "/home/vagrant/test/test.txt", "sha1_after" : "da39a3ee5e6b4b0d3255bfef95601890afd80709", "gname_after" : "root", "audit" : { "process" : { "parent_name" : "/usr/bin/bash", "cwd" : "/home/vagrant", "parent_cwd" : "/home/vagrant", "name" : "/usr/bin/touch", "id" : "26862", "ppid" : "3883" }, "login_user" : { "name" : "vagrant", "id" : "1000" }, "effective_user" : { "name" : "root", "id" : "0" }, "user" : { "name" : "root", "id" : "0" }, "group" : { "name" : "root", "id" : "0" } }, "uid_after" : "0", "perm_after" : "rw-r--r--", "event" : "added", "md5_after" : "d41d8cd98f00b204e9800998ecf8427e", "sha256_after" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "inode_after" : 25675706 }, "agent" : { "ip" : "10.0.2.15", "name" : "centos_agent", "id" : "001" }, "manager" : { "name" : "localhost.localdomain" }, "rule" : { "firedtimes" : 1, "mail" : false, "level" : 5, "pci_dss" : [ "11.5" ], "hipaa" : [ "164.312.c.1", "164.312.c.2" ], "tsc" : [ "PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description" : "File added to the system.", "groups" : [ "ossec", "syscheck", "syscheck_entry_added", "syscheck_file" ], "id" : "554", "nist_800_53" : [ "SI.7" ], "gpg13" : [ "4.11" ], "gdpr" : [ "II_5.1.f" ] }, "decoder" : { "name" : "syscheck_new_entry" }, "full_log" : "File '/home/vagrant/test/test.txt' added\nMode: whodata\n", "input" : { "type" : "log" }, "@timestamp" : "2022-05-10T14:38:36.932Z", "location" : "syscheck", "id" : "1652193516.1016405", "timestamp" : "2022-05-10T14:38:36.932+0000" } } ] } } ```

alerts.json
``` {"timestamp":"2022-05-10T14:38:36.932+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"centos_agent","ip":"10.0.2.15"},"manager":{"name":"localhost.localdomain"},"id":"1652193516.1016405","full_log":"File '/home/vagrant/test/test.txt' added\nMode: whodata\n","syscheck":{"path":"/home/vagrant/test/test.txt","mode":"whodata","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uname_after":"root","gname_after":"root","mtime_after":"2022-05-10T14:38:36","inode_after":25675706,"event":"added","audit":{"user":{"id":"0","name":"root"},"process":{"id":"26862","name":"/usr/bin/touch","cwd":"/home/vagrant","parent_name":"/usr/bin/bash","parent_cwd":"/home/vagrant","ppid":"3883"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"vagrant"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"} {"timestamp":"2022-05-10T14:39:05.976+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"centos_agent","ip":"10.0.2.15"},"manager":{"name":"localhost.localdomain"},"id":"1652193545.1017453","full_log":"File '/home/vagrant/test/test.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '8'\nOld modification time was: '1652193516', now it is '1652193545'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : 'ec4d59b2732f2f153240a8ff746282a6'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'e9f9b899cc7161e1eb0b1e4c042fdfabccf7958c'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '41920b348e0c6ff2ef9b7e3ee9308726aa5250fa717883e073ff6a936a9325a4'\n","syscheck":{"path":"/home/vagrant/test/test.txt","mode":"whodata","size_before":"0","size_after":"8","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"d41d8cd98f00b204e9800998ecf8427e","md5_after":"ec4d59b2732f2f153240a8ff746282a6","sha1_before":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha1_after":"e9f9b899cc7161e1eb0b1e4c042fdfabccf7958c","sha256_before":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha256_after":"41920b348e0c6ff2ef9b7e3ee9308726aa5250fa717883e073ff6a936a9325a4","uname_after":"root","gname_after":"root","mtime_before":"2022-05-10T14:38:36","mtime_after":"2022-05-10T14:39:05","inode_after":25675706,"changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"0","name":"root"},"process":{"id":"3883","name":"/usr/bin/bash","cwd":"/home/vagrant","parent_name":"/usr/bin/su","parent_cwd":"/","ppid":"3882"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"vagrant"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"} {"timestamp":"2022-05-10T14:39:27.900+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"centos_agent","ip":"10.0.2.15"},"manager":{"name":"localhost.localdomain"},"id":"1652193567.1019027","full_log":"File '/home/vagrant/test/test.txt' deleted\nMode: whodata\n","syscheck":{"path":"/home/vagrant/test/test.txt","mode":"whodata","size_after":"8","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"ec4d59b2732f2f153240a8ff746282a6","sha1_after":"e9f9b899cc7161e1eb0b1e4c042fdfabccf7958c","sha256_after":"41920b348e0c6ff2ef9b7e3ee9308726aa5250fa717883e073ff6a936a9325a4","uname_after":"root","gname_after":"root","mtime_after":"2022-05-10T14:39:05","inode_after":25675706,"event":"deleted","audit":{"user":{"id":"0","name":"root"},"process":{"id":"26871","name":"/usr/bin/rm","cwd":"/home/vagrant","parent_name":"/usr/bin/bash","parent_cwd":"/home/vagrant","ppid":"3883"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"vagrant"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"} ```
Windows agent:
- Wazuh dashboard
Wazuh indexer API
- Query: ``` curl --insecure -XGET -u 'USER:PASS' https://localhost:9200/wazuh-alerts-4.x-*/_search?pretty -H "Content-Type:application/json" -d '{"query":{"term":{"syscheck.path": "c:\\test\\test.txt.txt"}}}' ``` - Response: ``` { "took" : 4, "timed_out" : false, "_shards" : { "total" : 3, "successful" : 3, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 3, "relation" : "eq" }, "max_score" : 1.0296195, "hits" : [ { "_index" : "wazuh-alerts-4.x-2022.05.10", "_type" : "_doc", "_id" : "G8qUroABM_p2Aq5wxw-l", "_score" : 1.0296195, "_source" : { "syscheck" : { "uname_after" : "vagrant", "mtime_after" : "2022-05-10T15:26:59", "size_after" : "0", "win_perm_after" : [ { "allowed" : [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name" : "SYSTEM" }, { "allowed" : [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name" : "Administrators" }, { "allowed" : [ "READ_CONTROL", "SYNCHRONIZE", "READ_DATA", "READ_EA", "EXECUTE", "READ_ATTRIBUTES" ], "name" : "Users" }, { "allowed" : [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name" : "vagrant" } ], "mode" : "whodata", "path" : "c:\\test\\test.txt.txt", "sha1_after" : "da39a3ee5e6b4b0d3255bfef95601890afd80709", "audit" : { "process" : { "name" : "C:\\Windows\\explorer.exe", "id" : "4232" }, "user" : { "name" : "vagrant", "id" : "S-1-5-21-2235609361-411536120-1667373876-1000" } }, "attrs_after" : [ "ARCHIVE" ], "uid_after" : "S-1-5-21-2235609361-411536120-1667373876-1000", "event" : "added", "md5_after" : "d41d8cd98f00b204e9800998ecf8427e", "sha256_after" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }, "agent" : { "ip" : "10.0.2.15", "name" : "WIN-JLGVA4CR4VI", "id" : "002" }, "manager" : { "name" : "localhost.localdomain" }, "rule" : { "firedtimes" : 2, "mail" : false, "level" : 5, "pci_dss" : [ "11.5" ], "hipaa" : [ "164.312.c.1", "164.312.c.2" ], "tsc" : [ "PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description" : "File added to the system.", "groups" : [ "ossec", "syscheck", "syscheck_entry_added", "syscheck_file" ], "id" : "554", "nist_800_53" : [ "SI.7" ], "gpg13" : [ "4.11" ], "gdpr" : [ "II_5.1.f" ] }, "decoder" : { "name" : "syscheck_new_entry" }, "full_log" : "File 'c:\\test\\test.txt.txt' added\nMode: whodata\n", "input" : { "type" : "log" }, "@timestamp" : "2022-05-10T15:27:05.886Z", "location" : "syscheck", "id" : "1652196425.2346604", "timestamp" : "2022-05-10T15:27:05.886+0000" } }, { "_index" : "wazuh-alerts-4.x-2022.05.10", "_type" : "_doc", "_id" : "H8qVroABM_p2Aq5wfw9I", "_score" : 1.0296195, "_source" : { "syscheck" : { "uname_after" : "vagrant", "mtime_after" : "2022-05-10T15:27:16", "size_after" : "7", "win_perm_after" : [ { "allowed" : [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name" : "SYSTEM" }, { "allowed" : [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name" : "Administrators" }, { "allowed" : [ "READ_CONTROL", "SYNCHRONIZE", "READ_DATA", "READ_EA", "EXECUTE", "READ_ATTRIBUTES" ], "name" : "Users" }, { "allowed" : [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name" : "vagrant" } ], "mode" : "whodata", "path" : "c:\\test\\test.txt.txt", "sha1_after" : "0820b32b206b7352858e8903a838ed14319acdfd", "audit" : { "process" : { "name" : "C:\\Windows\\explorer.exe", "id" : "4232" }, "user" : { "name" : "vagrant", "id" : "S-1-5-21-2235609361-411536120-1667373876-1000" } }, "attrs_after" : [ "ARCHIVE" ], "uid_after" : "S-1-5-21-2235609361-411536120-1667373876-1000", "event" : "deleted", "md5_after" : "fa6a5a3224d7da66d9e0bdec25f62cf0", "sha256_after" : "e806a291cfc3e61f83b98d344ee57e3e8933cccece4fb45e1481f1f560e70eb1" }, "agent" : { "ip" : "10.0.2.15", "name" : "WIN-JLGVA4CR4VI", "id" : "002" }, "manager" : { "name" : "localhost.localdomain" }, "rule" : { "mail" : false, "level" : 7, "pci_dss" : [ "11.5" ], "hipaa" : [ "164.312.c.1", "164.312.c.2" ], "tsc" : [ "PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description" : "File deleted.", "groups" : [ "ossec", "syscheck", "syscheck_entry_deleted", "syscheck_file" ], "nist_800_53" : [ "SI.7" ], "gdpr" : [ "II_5.1.f" ], "firedtimes" : 2, "mitre" : { "technique" : [ "File Deletion", "Data Destruction" ], "id" : [ "T1070.004", "T1485" ], "tactic" : [ "Defense Evasion", "Impact" ] }, "id" : "553", "gpg13" : [ "4.11" ] }, "decoder" : { "name" : "syscheck_deleted" }, "full_log" : "File 'c:\\test\\test.txt.txt' deleted\nMode: whodata\n", "input" : { "type" : "log" }, "@timestamp" : "2022-05-10T15:27:52.012Z", "location" : "syscheck", "id" : "1652196472.2353608", "timestamp" : "2022-05-10T15:27:52.012+0000" } }, { "_index" : "wazuh-alerts-4.x-2022.05.10", "_type" : "_doc", "_id" : "HcqVroABM_p2Aq5wAg9B", "_score" : 0.6931471, "_source" : { "syscheck" : { "size_before" : "0", "uname_after" : "vagrant", "mtime_after" : "2022-05-10T15:27:16", "size_after" : "7", "md5_before" : "d41d8cd98f00b204e9800998ecf8427e", "diff" : "---\n> Testing\n", "win_perm_after" : [ { "allowed" : [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name" : "SYSTEM" }, { "allowed" : [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name" : "Administrators" }, { "allowed" : [ "READ_CONTROL", "SYNCHRONIZE", "READ_DATA", "READ_EA", "EXECUTE", "READ_ATTRIBUTES" ], "name" : "Users" }, { "allowed" : [ "DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "READ_DATA", "WRITE_DATA", "APPEND_DATA", "READ_EA", "WRITE_EA", "EXECUTE", "READ_ATTRIBUTES", "WRITE_ATTRIBUTES" ], "name" : "vagrant" } ], "sha256_before" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "mtime_before" : "2022-05-10T15:26:59", "mode" : "whodata", "path" : "c:\\test\\test.txt.txt", "sha1_after" : "0820b32b206b7352858e8903a838ed14319acdfd", "changed_attributes" : [ "size", "mtime", "md5", "sha1", "sha256" ], "audit" : { "process" : { "name" : "C:\\Windows\\System32\\notepad.exe", "id" : "1744" }, "user" : { "name" : "vagrant", "id" : "S-1-5-21-2235609361-411536120-1667373876-1000" } }, "attrs_after" : [ "ARCHIVE" ], "uid_after" : "S-1-5-21-2235609361-411536120-1667373876-1000", "event" : "modified", "md5_after" : "fa6a5a3224d7da66d9e0bdec25f62cf0", "sha1_before" : "da39a3ee5e6b4b0d3255bfef95601890afd80709", "sha256_after" : "e806a291cfc3e61f83b98d344ee57e3e8933cccece4fb45e1481f1f560e70eb1" }, "agent" : { "ip" : "10.0.2.15", "name" : "WIN-JLGVA4CR4VI", "id" : "002" }, "manager" : { "name" : "localhost.localdomain" }, "rule" : { "mail" : false, "level" : 7, "pci_dss" : [ "11.5" ], "hipaa" : [ "164.312.c.1", "164.312.c.2" ], "tsc" : [ "PI1.4", "PI1.5", "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description" : "Integrity checksum changed.", "groups" : [ "ossec", "syscheck", "syscheck_entry_modified", "syscheck_file" ], "nist_800_53" : [ "SI.7" ], "gdpr" : [ "II_5.1.f" ], "firedtimes" : 1, "mitre" : { "technique" : [ "Stored Data Manipulation" ], "id" : [ "T1565.001" ], "tactic" : [ "Impact" ] }, "id" : "550", "gpg13" : [ "4.11" ] }, "decoder" : { "name" : "syscheck_integrity_changed" }, "full_log" : "File 'c:\\test\\test.txt.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '7'\nOld modification time was: '1652196419', now it is '1652196436'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : 'fa6a5a3224d7da66d9e0bdec25f62cf0'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : '0820b32b206b7352858e8903a838ed14319acdfd'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : 'e806a291cfc3e61f83b98d344ee57e3e8933cccece4fb45e1481f1f560e70eb1'\n", "input" : { "type" : "log" }, "@timestamp" : "2022-05-10T15:27:18.151Z", "location" : "syscheck", "id" : "1652196438.2349453", "timestamp" : "2022-05-10T15:27:18.151+0000" } } ] } } ```

alerts.json
``` {"timestamp":"2022-05-10T15:27:05.886+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":2,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"WIN-JLGVA4CR4VI","ip":"10.0.2.15"},"manager":{"name":"localhost.localdomain"},"id":"1652196425.2346604","full_log":"File 'c:\\test\\test.txt.txt' added\nMode: whodata\n","syscheck":{"path":"c:\\test\\test.txt.txt","mode":"whodata","size_after":"0","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]},{"name":"vagrant","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]}],"uid_after":"S-1-5-21-2235609361-411536120-1667373876-1000","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","attrs_after":["ARCHIVE"],"uname_after":"vagrant","mtime_after":"2022-05-10T15:26:59","event":"added","audit":{"user":{"id":"S-1-5-21-2235609361-411536120-1667373876-1000","name":"vagrant"},"process":{"id":"4232","name":"C:\\Windows\\explorer.exe"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"} {"timestamp":"2022-05-10T15:27:18.151+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"WIN-JLGVA4CR4VI","ip":"10.0.2.15"},"manager":{"name":"localhost.localdomain"},"id":"1652196438.2349453","full_log":"File 'c:\\test\\test.txt.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '7'\nOld modification time was: '1652196419', now it is '1652196436'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : 'fa6a5a3224d7da66d9e0bdec25f62cf0'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : '0820b32b206b7352858e8903a838ed14319acdfd'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : 'e806a291cfc3e61f83b98d344ee57e3e8933cccece4fb45e1481f1f560e70eb1'\n","syscheck":{"path":"c:\\test\\test.txt.txt","mode":"whodata","size_before":"0","size_after":"7","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]},{"name":"vagrant","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]}],"uid_after":"S-1-5-21-2235609361-411536120-1667373876-1000","md5_before":"d41d8cd98f00b204e9800998ecf8427e","md5_after":"fa6a5a3224d7da66d9e0bdec25f62cf0","sha1_before":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha1_after":"0820b32b206b7352858e8903a838ed14319acdfd","sha256_before":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha256_after":"e806a291cfc3e61f83b98d344ee57e3e8933cccece4fb45e1481f1f560e70eb1","attrs_after":["ARCHIVE"],"uname_after":"vagrant","mtime_before":"2022-05-10T15:26:59","mtime_after":"2022-05-10T15:27:16","diff":"---\n> Testing\n","changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"S-1-5-21-2235609361-411536120-1667373876-1000","name":"vagrant"},"process":{"id":"1744","name":"C:\\Windows\\System32\\notepad.exe"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"} {"timestamp":"2022-05-10T15:27:52.012+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":2,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"WIN-JLGVA4CR4VI","ip":"10.0.2.15"},"manager":{"name":"localhost.localdomain"},"id":"1652196472.2353608","full_log":"File 'c:\\test\\test.txt.txt' deleted\nMode: whodata\n","syscheck":{"path":"c:\\test\\test.txt.txt","mode":"whodata","size_after":"7","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]},{"name":"vagrant","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]}],"uid_after":"S-1-5-21-2235609361-411536120-1667373876-1000","md5_after":"fa6a5a3224d7da66d9e0bdec25f62cf0","sha1_after":"0820b32b206b7352858e8903a838ed14319acdfd","sha256_after":"e806a291cfc3e61f83b98d344ee57e3e8933cccece4fb45e1481f1f560e70eb1","attrs_after":["ARCHIVE"],"uname_after":"vagrant","mtime_after":"2022-05-10T15:27:16","event":"deleted","audit":{"user":{"id":"S-1-5-21-2235609361-411536120-1667373876-1000","name":"vagrant"},"process":{"id":"4232","name":"C:\\Windows\\explorer.exe"}}},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"} ```

wazuh / wazuh-qa

E2E Research: FIM #2862

Description

Tasks

Conclusion

Task 1: Environment provision 🟢

Task 2: Test case configuration 🟢

Task 3: Generate events 🟢

Task 4: Check alerts 🟢