search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

E2E Research: Slack #2876

Closed juliamagan closed 2 years ago

juliamagan commented 2 years ago

Description

In this issue, we will study the Slack test case described here. All the info obtained will be used in the future for the design and implementation of E2E tests.

Tasks

Conclusion

We just need one manager and a Slack app.

juliamagan commented 2 years ago

Task 1: Environment provision

I've followed the Quickstart guide and set up an all-in-one environment.

Install type OS CPU RAM
All-in-one CentOS 8 2 4096
juliamagan commented 2 years ago

Task 2: Test case configuration

We have created an app in Slack and added the following configuration:

<integration>
    <name>slack</name>
    <hook_url>${replace_by_SlackHook}</hook_url>
    <level>10</level>
    <alert_format>json</alert_format>
</integration>

Finally, we have restarted the manager.

juliamagan commented 2 years ago

Task 3: Generate event

We will receive a message in Slack when a level 10 or higher alert is triggered, so we have generated a brute force attack alert.

juliamagan commented 2 years ago

Task 4: Check alerts

image

image

Wed May 11 12:29:20 UTC 2022 /tmp/slack-1652272160-917609775.alert  <SlackHook>  > /dev/null 2>&1
Wazuh indexer API - Query: ``` curl --insecure -XGET -u 'USER:PASS' https://localhost:9200/wazuh-alerts-4.x-*/_search?pretty -H "Content-Type:application/json" -d '{"query":{"term":{"rule.id": "5712"}}}' ``` - Response: ``` { "took" : 3, "timed_out" : false, "_shards" : { "total" : 6, "successful" : 6, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 1, "relation" : "eq" }, "max_score" : 4.6507807, "hits" : [ { "_index" : "wazuh-alerts-4.x-2022.05.11", "_type" : "_doc", "_id" : "0P0Ys4ABu16aFzjUYriy", "_score" : 4.6507807, "_source" : { "agent" : { "name" : "localhost.localdomain", "id" : "000" }, "data" : { "srcuser" : "paco", "srcip" : "172.17.1.1", "srcport" : "56404" }, "rule" : { "mail" : false, "level" : 10, "hipaa" : [ "164.312.b" ], "pci_dss" : [ "11.4", "10.2.4", "10.2.5" ], "tsc" : [ "CC6.1", "CC6.8", "CC7.2", "CC7.3" ], "description" : "sshd: brute force trying to get access to the system. Non existent user.", "groups" : [ "syslog", "sshd", "authentication_failures" ], "nist_800_53" : [ "SI.4", "AU.14", "AC.7" ], "frequency" : 8, "gdpr" : [ "IV_35.7.d", "IV_32.2" ], "firedtimes" : 1, "mitre" : { "technique" : [ "Brute Force" ], "id" : [ "T1110" ], "tactic" : [ "Credential Access" ] }, "id" : "5712" }, "full_log" : "May 11 12:29:18 localhost sshd[17584]: Invalid user paco from 172.17.1.1 port 56404", "id" : "1652272159.1549653", "timestamp" : "2022-05-11T12:29:19.905+0000", "predecoder" : { "hostname" : "localhost", "program_name" : "sshd", "timestamp" : "May 11 12:29:18" }, "previous_output" : "May 11 12:29:16 localhost sshd[17582]: Invalid user paco from 172.17.1.1 port 56402\nMay 11 12:29:14 localhost sshd[17580]: Invalid user paco from 172.17.1.1 port 56400\nMay 11 12:29:11 localhost sshd[17578]: Invalid user paco from 172.17.1.1 port 56398\nMay 11 12:29:09 localhost sshd[17576]: Invalid user paco from 172.17.1.1 port 56396\nMay 11 12:29:07 localhost sshd[17574]: Invalid user paco from 172.17.1.1 port 56394\nMay 11 12:29:04 localhost sshd[17572]: Invalid user paco from 172.17.1.1 port 56392\nMay 11 12:29:00 localhost sshd[17570]: Invalid user paco from 172.17.1.1 port 56390", "manager" : { "name" : "localhost.localdomain" }, "decoder" : { "parent" : "sshd", "name" : "sshd" }, "input" : { "type" : "log" }, "@timestamp" : "2022-05-11T12:29:19.905Z", "location" : "/var/log/secure" } } ] } } ```
alerts.json ``` {"timestamp":"2022-05-11T12:29:19.905+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1652272159.1549653","previous_output":"May 11 12:29:16 localhost sshd[17582]: Invalid user paco from 172.17.1.1 port 56402\nMay 11 12:29:14 localhost sshd[17580]: Invalid user paco from 172.17.1.1 port 56400\nMay 11 12:29:11 localhost sshd[17578]: Invalid user paco from 172.17.1.1 port 56398\nMay 11 12:29:09 localhost sshd[17576]: Invalid user paco from 172.17.1.1 port 56396\nMay 11 12:29:07 localhost sshd[17574]: Invalid user paco from 172.17.1.1 port 56394\nMay 11 12:29:04 localhost sshd[17572]: Invalid user paco from 172.17.1.1 port 56392\nMay 11 12:29:00 localhost sshd[17570]: Invalid user paco from 172.17.1.1 port 56390","full_log":"May 11 12:29:18 localhost sshd[17584]: Invalid user paco from 172.17.1.1 port 56404","predecoder":{"program_name":"sshd","timestamp":"May 11 12:29:18","hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.17.1.1","srcport":"56404","srcuser":"paco"},"location":"/var/log/secure"} ```