Open xaled1 opened 1 year ago
Hi,
Can you please help me with info on how to drop/ignore specific alerts for login of know ssh script on a Debian node?
Here are the alerts:
{ "_index": "wazuh-alerts-4.x-2023.06.11", "_id": "voQrrIgBGsvDBn9vACmL", "_version": 1, "_score": null, "_source": { "predecoder": { "hostname": "fra-api", "program_name": "sshd", "timestamp": "Jun 11 22:34:37" }, "input": { "type": "log" }, "agent": { "ip": "x.x.x.x", "name": "fra-api.example.com", "id": "001" }, "manager": { "name": "wazuh.manager" }, "data": { "uid": "0", "dstuser": "tf-script" }, "rule": { "mail": false, "level": 3, "pci_dss": [ "10.2.5" ], "hipaa": [ "164.312.b" ], "tsc": [ "CC6.8", "CC7.2", "CC7.3" ], "description": "PAM: Login session opened.", "groups": [ "pam", "syslog", "authentication_success" ], "nist_800_53": [ "AU.14", "AC.7" ], "gdpr": [ "IV_32.2" ], "firedtimes": 6482, "mitre": { "technique": [ "Valid Accounts" ], "id": [ "T1078" ], "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ] }, "id": "5501", "gpg13": [ "7.8", "7.9" ] }, "location": "/var/log/auth.log", "decoder": { "parent": "pam", "name": "pam" }, "id": "1686515677.503115546", "full_log": "Jun 11 22:34:37 fra-api sshd[6049]: pam_unix(sshd:session): session opened for user tf-script by (uid=0)", "timestamp": "2023-06-11T20:34:37.417+0000" }, "fields": { "timestamp": [ "2023-06-11T20:34:37.417Z" ] }, "sort": [ 1686515677417 ] }
{ "_index": "wazuh-alerts-4.x-2023.06.11", "_id": "v4QrrIgBGsvDBn9vACmL", "_version": 1, "_score": null, "_source": { "predecoder": { "hostname": "fra-api", "program_name": "sshd", "timestamp": "Jun 11 22:34:37" }, "input": { "type": "log" }, "agent": { "ip": "2.56.232.100", "name": "fra-api.example.com", "id": "001" }, "data": { "srcip": "x.x.x.x", "dstuser": "tf-script", "srcport": "36518" }, "manager": { "name": "wazuh.manager" }, "rule": { "mail": false, "level": 3, "hipaa": [ "164.312.b" ], "pci_dss": [ "10.2.5" ], "tsc": [ "CC6.8", "CC7.2", "CC7.3" ], "description": "sshd: authentication success.", "groups": [ "syslog", "sshd", "authentication_success" ], "nist_800_53": [ "AU.14", "AC.7" ], "gdpr": [ "IV_32.2" ], "firedtimes": 5049, "mitre": { "technique": [ "Valid Accounts", "Remote Services" ], "id": [ "T1078", "T1021" ], "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access", "Lateral Movement" ] }, "id": "5715", "gpg13": [ "7.1", "7.2" ] }, "location": "/var/log/auth.log", "decoder": { "parent": "sshd", "name": "sshd" }, "id": "1686515677.503115993", "GeoLocation": { "country_name": "Germany", "location": { "lon": 9.543, "lat": 52.453 } }, "full_log": "Jun 11 22:34:37 fra-api sshd[6047]: Accepted password for tf-script from x.x.x.x port 36518 ssh2", "timestamp": "2023-06-11T20:34:37.417+0000" }, "fields": { "timestamp": [ "2023-06-11T20:34:37.417Z" ] }, "sort": [ 1686515677417 ] }
Hi,
Can you please help me with info on how to drop/ignore specific alerts for login of know ssh script on a Debian node?
Here are the alerts:
{ "_index": "wazuh-alerts-4.x-2023.06.11", "_id": "voQrrIgBGsvDBn9vACmL", "_version": 1, "_score": null, "_source": { "predecoder": { "hostname": "fra-api", "program_name": "sshd", "timestamp": "Jun 11 22:34:37" }, "input": { "type": "log" }, "agent": { "ip": "x.x.x.x", "name": "fra-api.example.com", "id": "001" }, "manager": { "name": "wazuh.manager" }, "data": { "uid": "0", "dstuser": "tf-script" }, "rule": { "mail": false, "level": 3, "pci_dss": [ "10.2.5" ], "hipaa": [ "164.312.b" ], "tsc": [ "CC6.8", "CC7.2", "CC7.3" ], "description": "PAM: Login session opened.", "groups": [ "pam", "syslog", "authentication_success" ], "nist_800_53": [ "AU.14", "AC.7" ], "gdpr": [ "IV_32.2" ], "firedtimes": 6482, "mitre": { "technique": [ "Valid Accounts" ], "id": [ "T1078" ], "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access" ] }, "id": "5501", "gpg13": [ "7.8", "7.9" ] }, "location": "/var/log/auth.log", "decoder": { "parent": "pam", "name": "pam" }, "id": "1686515677.503115546", "full_log": "Jun 11 22:34:37 fra-api sshd[6049]: pam_unix(sshd:session): session opened for user tf-script by (uid=0)", "timestamp": "2023-06-11T20:34:37.417+0000" }, "fields": { "timestamp": [ "2023-06-11T20:34:37.417Z" ] }, "sort": [ 1686515677417 ] }
{ "_index": "wazuh-alerts-4.x-2023.06.11", "_id": "v4QrrIgBGsvDBn9vACmL", "_version": 1, "_score": null, "_source": { "predecoder": { "hostname": "fra-api", "program_name": "sshd", "timestamp": "Jun 11 22:34:37" }, "input": { "type": "log" }, "agent": { "ip": "2.56.232.100", "name": "fra-api.example.com", "id": "001" }, "data": { "srcip": "x.x.x.x", "dstuser": "tf-script", "srcport": "36518" }, "manager": { "name": "wazuh.manager" }, "rule": { "mail": false, "level": 3, "hipaa": [ "164.312.b" ], "pci_dss": [ "10.2.5" ], "tsc": [ "CC6.8", "CC7.2", "CC7.3" ], "description": "sshd: authentication success.", "groups": [ "syslog", "sshd", "authentication_success" ], "nist_800_53": [ "AU.14", "AC.7" ], "gdpr": [ "IV_32.2" ], "firedtimes": 5049, "mitre": { "technique": [ "Valid Accounts", "Remote Services" ], "id": [ "T1078", "T1021" ], "tactic": [ "Defense Evasion", "Persistence", "Privilege Escalation", "Initial Access", "Lateral Movement" ] }, "id": "5715", "gpg13": [ "7.1", "7.2" ] }, "location": "/var/log/auth.log", "decoder": { "parent": "sshd", "name": "sshd" }, "id": "1686515677.503115993", "GeoLocation": { "country_name": "Germany", "location": { "lon": 9.543, "lat": 52.453 } }, "full_log": "Jun 11 22:34:37 fra-api sshd[6047]: Accepted password for tf-script from x.x.x.x port 36518 ssh2", "timestamp": "2023-06-11T20:34:37.417+0000" }, "fields": { "timestamp": [ "2023-06-11T20:34:37.417Z" ] }, "sort": [ 1686515677417 ] }