search

wazuh / wazuh-splunk

Wazuh - Splunk App
https://wazuh.com
GNU General Public License v2.0
48 stars 25 forks source link

[Feature request] Wazuh events are not CIM compliant #940

Open manuasir opened 3 years ago

manuasir commented 3 years ago

Hello team,

Currently, the Wazuh alerts are treated as _json sourcetype, so data can be searched within the Search app and the Splunk app for Wazuh. However, the events cannot be populated from other add-ons. We should make the Wazuh Alerts compliant with common information model (CIM).

More info: https://docs.splunk.com/Documentation/CIM/4.17.0/User/UsetheCIMtonormalizedataatsearchtime

Regards

manuasir commented 3 years ago

We finally managed to get Wazuh alerts compliant with the Splunk Common Information Model. The work done can be checked in this branch.

Proposal

The first approach was about creating a new Splunk TA that handles all the required transformations. As an example, check these Windows fields transforms out:

FIELDALIAS-wazuh_win_body = data.win.system.message as body
FIELDALIAS-wazuh_win_src = data.win.system.providerName as src
FIELDALIAS-wazuh_win_type = data.win.system.channel as type
FIELDALIAS-wazuh_win_dvc = data.win.system.computer as dvc
FIELDALIAS-wazuh_win_dvc_ip = agent.ip as dvc_ip

All these type , dvc , dvc_ip are normalized names so we can search for those in any CIM compliant add-on nor the Search native Splunk app. Additionally, CIM also requires some numerical values to be normalized. We created several CSV files for that. For example, to normalize alerts levels:

severity_id,severity
0,informational
1,informational
2,informational
3,informational
4,low
5,low
6,low
7,low
8,low
9,medium
10,medium
11,medium
12,high
13,high
14,high
15,critical

Those CSV are loaded as Splunk lookups, which are loaded as props

LOOKUP-severity_for_wazuh = wazuh_severities_lookup severity_id OUTPUT severity
LOOKUP-action_for_wazuh = wazuh_action_lookup signature_id AS wazuh_signature_id OUTPUT action,status,change_type,change_type AS wazuh_change_type

Finally, we checked the level of compliance by getting this CIM Validator app: Despite we cannot be 100% compliant with all data models, we managed to get as much coverage as possible. image

Finally, we had to handle the integration of this TA along with the current Splunk App for Wazuh, which wasn't so hard due to it only was required to append the new configurations to the existing ones.