CarlosRS9 commented 2 years ago

Description

To determine the best way to address #14226 we need to determine if it is possible to filter the alerts in the UI using the data from the contents of the requestParameters.rules of a WAF log without having to apply major changes to our AWS integration. In particular, we want to be able to filter by the name and action keys contained in the different items present in the requestParameters.rules list.

The issue here is that the requestParameters.rules contains a list of items, each one corrresponding to a different application, which prevents us from being able to filter by these fields. In addition to that, these items can contain different fields each one.

We need to investigate how the contents of requestParameters.rules are currently being indexed and displayed in the Discover page of the UI. To do this, we should:

Send WAF logs containing requestParameters.rules to the analysis engine without applying any modification to them.
Force them to generate alerts so they can be indexed and they appear in the Discover page.
See how they are currently being indexed and how the requestParameters.rules contents are rendered in the interface.
Check if it is possible to access the different fields for each item of the array.

One possible solution could be the usage of Elastic's nested fields to alter the way requestParameters.rules are being indexed and determine if this allows us to index them in a way that those items can be queried independently of each other.

We need to determine if #14226 can be achieved by means of the nested field or any other solution involving Elasticsearch configurations.

nico-stefani commented 2 years ago

Issue Update

I was able to reproduce the scenario with:

JSON Log

{ "Records": [ { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxxxx", "arn": "-", "accountId": "XXXXXXXXXXXX", "accessKeyId": "-", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "-", "arn": "-" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-07-05T16:49:18Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-07-05T18:20:27Z", "eventSource": "wafv2.amazonaws.com", "eventName": "UpdateWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "name": "ec-web-acl", "scope": "REGIONAL", "id": "fd4c5ae0-4ddb-4bff-b67e-6786976f465f", "defaultAction": { "allow": {} }, "description": "ec-web-acl", "rules": [ { "name": "X-Application-ID", "priority": 0, "statement": { "byteMatchStatement": { "searchString": { "hb": [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 9, "capacity": 9, "address": 0 }, "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "CONTAINS" } }, "action": { "count": {} }, "ruleLabels": [ { "name": "RulesCustom:ApplicationRappi:Synthetic" } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "X-Application-ID" } }, { "name": "MS-Internos", "priority": 1, "statement": { "andStatement": { "statements": [ { "sizeConstraintStatement": { "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "comparisonOperator": "GE", "size": 0, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, { "notStatement": { "statement": { "byteMatchStatement": { "searchString": { "hb": [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 9, "capacity": 9, "address": 0 }, "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "CONTAINS" } } } } ] } }, "action": { "count": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "MS-Internos" } }, { "name": "some-rules", "priority": 2, "statement": { "ruleGroupReferenceStatement": { "aRN": "arn:aws:wafv2:us-west-2:XXXXXXXXXXXX:regional/rulegroup/some/19dc9c90-b13d-420f-9a6f-fe8995d7bb4c" } }, "overrideAction": { "none": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "some-rules" } }, { "name": "MS-ECOM-PARTNER", "priority": 3, "statement": { "byteMatchStatement": { "searchString": { "hb": [ 47, 101, 99, 111, 109, 45, 112, 97, 114, 116, 110, 101, 114, 115, 47 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 15, "capacity": 15, "address": 0 }, "fieldToMatch": { "uriPath": {} }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "CONTAINS" } }, "action": { "count": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "MS-ECOM-PARTNER" } }, { "name": "RL_ALL", "priority": 4, "statement": { "rateBasedStatement": { "limit": 1000, "aggregateKeyType": "FORWARDED_IP", "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" } } }, "action": { "count": {} }, "ruleLabels": [ { "name": "CustomRules:RateLimitMS" } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "HttpFlood" } }, { "name": "Request_From_Country", "priority": 5, "statement": { "andStatement": { "statements": [ { "notStatement": { "statement": { "geoMatchStatement": { "countryCodes": [ "AR", "BR", "CL", "CO", "CR", "EC", "MX", "PE", "UY", "US" ], "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" } } } } }, { "byteMatchStatement": { "searchString": { "hb": [ 47, 114, 101, 115, 116, 97, 117, 114, 97, 110, 116, 115, 45, 98, 117, 115, 47 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 17, "capacity": 17, "address": 0 }, "fieldToMatch": { "uriPath": {} }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "CONTAINS" } } ] } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "Request_From_Country" } }, { "name": "rl-es-proxy", "priority": 6, "statement": { "rateBasedStatement": { "limit": 750, "aggregateKeyType": "FORWARDED_IP", "scopeDownStatement": { "byteMatchStatement": { "searchString": { "hb": [ 47, 97, 112, 105, 47, 101, 115, 45, 112, 114, 111, 120, 121, 47, 115, 101, 97, 114, 99, 104, 47, 118, 50, 47, 112, 114, 111, 100, 117, 99, 116, 115 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 32, "capacity": 32, "address": 0 }, "fieldToMatch": { "uriPath": {} }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "STARTS_WITH" } }, "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" } } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "rl-elasticsearch-proxy" } }, { "name": "some-bus-rl", "priority": 7, "statement": { "rateBasedStatement": { "limit": 350, "aggregateKeyType": "FORWARDED_IP", "scopeDownStatement": { "regexPatternSetReferenceStatement": { "aRN": "arn:aws:wafv2:us-west-2:XXXXXXXXXXXX:regional/regexpatternset/toppings-rl/a0350515-8fde-46a5-9f82-d786ff6327d1", "fieldToMatch": { "uriPath": {} }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" } } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "some-bus-rl" } } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "ec-web-acl" }, "lockToken": "69fed7cb-3bf4-4496-b1c1-9d32e9fd8a93" }, "responseElements": { "nextLockToken": "6bfdbd0f-44aa-4da9-99e6-efee9587ccfd" }, "requestID": "1b4926c1-40a5-4a9c-886f-9b376fb5d4eb", "eventID": "d7219f7a-f2a4-4f05-a7f3-8ba35934ed0d", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "managementEvent": true, "recipientAccountId": "XXXXXXXXXXXX", "eventCategory": "Management", "sessionCredentialFromConsole": "true", "source": "cloudtrail", "aws_account_id": "XXXXXXXXXXXX" } ] }

Using the command:

root@wazuh:/var/ossec# /var/ossec/wodles/aws/aws-s3 -b wazuh-aws-wodle-waf -t cloudtrail -s 2022-Aug-17 -p dev -d2
DEBUG: +++ Debug mode on - Level: 2
DEBUG: +++ Table does not exist; create
DEBUG: +++ Working on XXXXXXXXXXXX - us-west-1
DEBUG: +++ Marker: AWSLogs/XXXXXXXXXXXX/CloudTrail/us-west-1/2022/08/17
DEBUG: ++ Found new log: AWSLogs/XXXXXXXXXXXX/CloudTrail/us-west-1/2022/08/17/XXXXXXXXXXXX_CloudTrail_us-west-1_20220817T0000Z_HASDoKlxgfdkdIOa.json.txt
DEBUG: +++ DB Maintenance

As a result, we can see that data.aws.requestParameters.rules field is not correctly showing in the dashboard.

In the discovery section we can see as raw JSON.

nico-stefani commented 2 years ago

Issue Update

I was able to configure requestParameters.rules as a nested field, using the base template. Adding the section to into the mapping

...
"requestParameters": {
  "properties": {
    "rules": {
       "type": "nested"
    }
  }
}
...

And data.aws.requestParameters.rules.name to the index.query.default_field list.

Full JSON

{ "order": 0, "index_patterns": [ "wazuh-alerts-4.x-*", "wazuh-archives-4.x-*" ], "settings": { "index.refresh_interval": "5s", "index.number_of_shards": "3", "index.number_of_replicas": "0", "index.auto_expand_replicas": "0-1", "index.mapping.total_fields.limit": 10000, "index.query.default_field": [ "GeoLocation.city_name", "GeoLocation.continent_code", "GeoLocation.country_code2", "GeoLocation.country_code3", "GeoLocation.country_name", "GeoLocation.ip", "GeoLocation.postal_code", "GeoLocation.real_region_name", "GeoLocation.region_name", "GeoLocation.timezone", "agent.id", "agent.ip", "agent.name", "cluster.name", "cluster.node", "command", "data", "data.action", "data.audit", "data.audit.acct", "data.audit.arch", "data.audit.auid", "data.audit.command", "data.audit.cwd", "data.audit.dev", "data.audit.directory.inode", "data.audit.directory.mode", "data.audit.directory.name", "data.audit.egid", "data.audit.enforcing", "data.audit.euid", "data.audit.exe", "data.audit.execve.a0", "data.audit.execve.a1", "data.audit.execve.a2", "data.audit.execve.a3", "data.audit.exit", "data.audit.file.inode", "data.audit.file.mode", "data.audit.file.name", "data.audit.fsgid", "data.audit.fsuid", "data.audit.gid", "data.audit.id", "data.audit.key", "data.audit.list", "data.audit.old-auid", "data.audit.old-ses", "data.audit.old_enforcing", "data.audit.old_prom", "data.audit.op", "data.audit.pid", "data.audit.ppid", "data.audit.prom", "data.audit.res", "data.audit.session", "data.audit.sgid", "data.audit.srcip", "data.audit.subj", "data.audit.success", "data.audit.suid", "data.audit.syscall", "data.audit.tty", "data.audit.uid", "data.aws.accountId", "data.aws.account_id", "data.aws.action", "data.aws.actor", "data.aws.aws_account_id", "data.aws.description", "data.aws.dstport", "data.aws.errorCode", "data.aws.errorMessage", "data.aws.eventID", "data.aws.eventName", "data.aws.eventSource", "data.aws.eventType", "data.aws.id", "data.aws.name", "data.aws.requestParameters.accessKeyId", "data.aws.requestParameters.bucketName", "data.aws.requestParameters.gatewayId", "data.aws.requestParameters.groupDescription", "data.aws.requestParameters.groupId", "data.aws.requestParameters.groupName", "data.aws.requestParameters.host", "data.aws.requestParameters.hostedZoneId", "data.aws.requestParameters.instanceId", "data.aws.requestParameters.instanceProfileName", "data.aws.requestParameters.loadBalancerName", "data.aws.requestParameters.loadBalancerPorts", "data.aws.requestParameters.masterUserPassword", "data.aws.requestParameters.masterUsername", "data.aws.requestParameters.name", "data.aws.requestParameters.natGatewayId", "data.aws.requestParameters.networkAclId", "data.aws.requestParameters.path", "data.aws.requestParameters.policyName", "data.aws.requestParameters.port", "data.aws.requestParameters.stackId", "data.aws.requestParameters.stackName", "data.aws.requestParameters.subnetId", "data.aws.requestParameters.subnetIds", "data.aws.requestParameters.volumeId", "data.aws.requestParameters.vpcId", "data.aws.requestParameters.rules.name", "data.aws.resource.accessKeyDetails.accessKeyId", "data.aws.resource.accessKeyDetails.principalId", "data.aws.resource.accessKeyDetails.userName", "data.aws.resource.instanceDetails.instanceId", "data.aws.resource.instanceDetails.instanceState", "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", "data.aws.resource.instanceDetails.networkInterfaces.subnetId", "data.aws.resource.instanceDetails.networkInterfaces.vpcId", "data.aws.resource.instanceDetails.tags.value", "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", "data.aws.responseElements.description", "data.aws.responseElements.instanceId", "data.aws.responseElements.instances.instanceId", "data.aws.responseElements.instancesSet.items.instanceId", "data.aws.responseElements.listeners.port", "data.aws.responseElements.loadBalancerName", "data.aws.responseElements.loadBalancers.vpcId", "data.aws.responseElements.loginProfile.userName", "data.aws.responseElements.networkAcl.vpcId", "data.aws.responseElements.ownerId", "data.aws.responseElements.publicIp", "data.aws.responseElements.user.userId", "data.aws.responseElements.user.userName", "data.aws.responseElements.volumeId", "data.aws.service.serviceName", "data.aws.severity", "data.aws.source", "data.aws.sourceIPAddress", "data.aws.srcport", "data.aws.userIdentity.accessKeyId", "data.aws.userIdentity.accountId", "data.aws.userIdentity.userName", "data.aws.vpcEndpointId", "data.command", "data.cis.group", "data.cis.rule_title", "data.data", "data.docker.Actor.Attributes.container", "data.docker.Actor.Attributes.image", "data.docker.Actor.Attributes.name", "data.docker.Actor.ID", "data.docker.id", "data.docker.message", "data.docker.status", "data.dstip", "data.dstport", "data.dstuser", "data.extra_data", "data.hotfix", "data.gcp.jsonPayload.queryName", "data.gcp.jsonPayload.vmInstanceName", "data.gcp.resource.labels.location", "data.gcp.resource.labels.project_id", "data.gcp.resource.labels.source_type", "data.gcp.resource.type", "data.github.org", "data.github.actor", "data.github.action", "data.github.repo", "data.hardware.serial", "data.hardware.cpu_name", "data.hardware.cpu_cores", "data.hardware.cpu_mhz", "data.hardware.ram_total", "data.hardware.ram_free", "data.hardware.ram_usage", "data.id", "data.integration", "data.netinfo.iface.adapter", "data.netinfo.iface.type", "data.netinfo.iface.state", "data.netinfo.iface.mtu", "data.netinfo.iface.ipv4.address", "data.netinfo.iface.ipv6.address", "data.netinfo.iface.mac", "data.netinfo.iface.tx_packets", "data.netinfo.iface.rx_packets", "data.netinfo.iface.tx_bytes", "data.netinfo.iface.rx_bytes", "data.netinfo.iface.tx_errors", "data.netinfo.iface.rx_errors", "data.netinfo.iface.tx_dropped", "data.netinfo.iface.rx_dropped", "data.netinfo.iface.name", "data.netinfo.proto.iface", "data.netinfo.proto.type", "data.netinfo.proto.gateway", "data.netinfo.proto.dhcp", "data.netinfo.proto.metric", "data.netinfo.addr.iface", "data.netinfo.addr.proto", "data.netinfo.addr.address", "data.netinfo.addr.netmask", "data.netinfo.addr.broadcast", "data.office365.Actor.ID", "data.office365.UserId", "data.office365.Operation", "data.office365.ClientIP", "data.os.architecture", "data.os.build", "data.os.codename", "data.os.hostname", "data.os.major", "data.os.minor", "data.os.patch", "data.os.name", "data.os.platform", "data.os.release", "data.os.os_release", "data.os.release_version", "data.os.display_version", "data.os.sysname", "data.os.version", "data.oscap.check.description", "data.oscap.check.id", "data.oscap.check.identifiers", "data.oscap.check.oval.id", "data.oscap.check.rationale", "data.oscap.check.references", "data.oscap.check.result", "data.oscap.check.severity", "data.oscap.check.title", "data.oscap.scan.benchmark.id", "data.oscap.scan.content", "data.oscap.scan.id", "data.oscap.scan.profile.id", "data.oscap.scan.profile.title", "data.osquery.columns.address", "data.osquery.columns.command", "data.osquery.columns.description", "data.osquery.columns.dst_ip", "data.osquery.columns.gid", "data.osquery.columns.hostname", "data.osquery.columns.md5", "data.osquery.columns.path", "data.osquery.columns.sha1", "data.osquery.columns.sha256", "data.osquery.columns.src_ip", "data.osquery.columns.user", "data.osquery.columns.username", "data.osquery.name", "data.osquery.pack", "data.port.process", "data.port.protocol", "data.port.local_ip", "data.port.local_port", "data.port.remote_ip", "data.port.remote_port", "data.port.tx_queue", "data.port.rx_queue", "data.port.inode", "data.port.state", "data.port.pid", "data.process.args", "data.process.cmd", "data.process.egroup", "data.process.euser", "data.process.fgroup", "data.process.priority", "data.process.nice", "data.process.size", "data.process.vm_size", "data.process.resident", "data.process.share", "data.process.start_time", "data.process.pgrp", "data.process.session", "data.process.nlwp", "data.process.tgid", "data.process.tty", "data.process.processor", "data.process.pid", "data.process.name", "data.process.rgroup", "data.process.ruser", "data.process.sgroup", "data.process.state", "data.process.ppid", "data.process.utime", "data.process.stime", "data.process.suser", "data.program.architecture", "data.program.description", "data.program.format", "data.program.location", "data.program.multiarch", "data.program.name", "data.program.priority", "data.program.size", "data.program.section", "data.program.source", "data.program.vendor", "data.program.install_time", "data.program.version", "data.protocol", "data.pwd", "data.sca", "data.sca.check.compliance.cis", "data.sca.check.compliance.cis_csc", "data.sca.check.compliance.pci_dss", "data.sca.check.compliance.hipaa", "data.sca.check.compliance.nist_800_53", "data.sca.check.description", "data.sca.check.directory", "data.sca.check.file", "data.sca.check.id", "data.sca.check.previous_result", "data.sca.check.process", "data.sca.check.rationale", "data.sca.check.reason", "data.sca.check.references", "data.sca.check.registry", "data.sca.check.remediation", "data.sca.check.result", "data.sca.check.status", "data.sca.check.title", "data.sca.description", "data.sca.file", "data.sca.invalid", "data.sca.name", "data.sca.policy", "data.sca.policy_id", "data.sca.scan_id", "data.sca.total_checks", "data.script", "data.src_ip", "data.src_port", "data.srcip", "data.srcport", "data.srcuser", "data.status", "data.system_name", "data.title", "data.tty", "data.uid", "data.url", "data.virustotal.description", "data.virustotal.error", "data.virustotal.found", "data.virustotal.permalink", "data.virustotal.scan_date", "data.virustotal.sha1", "data.virustotal.source.alert_id", "data.virustotal.source.file", "data.virustotal.source.md5", "data.virustotal.source.sha1", "data.vulnerability.cve", "data.vulnerability.cvss.cvss2.base_score", "data.vulnerability.cvss.cvss2.exploitability_score", "data.vulnerability.cvss.cvss2.impact_score", "data.vulnerability.cvss.cvss2.vector.access_complexity", "data.vulnerability.cvss.cvss2.vector.attack_vector", "data.vulnerability.cvss.cvss2.vector.authentication", "data.vulnerability.cvss.cvss2.vector.availability", "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", "data.vulnerability.cvss.cvss2.vector.integrity_impact", "data.vulnerability.cvss.cvss2.vector.privileges_required", "data.vulnerability.cvss.cvss2.vector.scope", "data.vulnerability.cvss.cvss2.vector.user_interaction", "data.vulnerability.cvss.cvss3.base_score", "data.vulnerability.cvss.cvss3.exploitability_score", "data.vulnerability.cvss.cvss3.impact_score", "data.vulnerability.cvss.cvss3.vector.access_complexity", "data.vulnerability.cvss.cvss3.vector.attack_vector", "data.vulnerability.cvss.cvss3.vector.authentication", "data.vulnerability.cvss.cvss3.vector.availability", "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", "data.vulnerability.cvss.cvss3.vector.integrity_impact", "data.vulnerability.cvss.cvss3.vector.privileges_required", "data.vulnerability.cvss.cvss3.vector.scope", "data.vulnerability.cvss.cvss3.vector.user_interaction", "data.vulnerability.cwe_reference", "data.vulnerability.package.source", "data.vulnerability.package.architecture", "data.vulnerability.package.condition", "data.vulnerability.package.generated_cpe", "data.vulnerability.package.name", "data.vulnerability.package.version", "data.vulnerability.rationale", "data.vulnerability.severity", "data.vulnerability.title", "data.vulnerability.assigner", "data.vulnerability.cve_version", "data.win.eventdata.auditPolicyChanges", "data.win.eventdata.auditPolicyChangesId", "data.win.eventdata.binary", "data.win.eventdata.category", "data.win.eventdata.categoryId", "data.win.eventdata.data", "data.win.eventdata.image", "data.win.eventdata.ipAddress", "data.win.eventdata.ipPort", "data.win.eventdata.keyName", "data.win.eventdata.logonGuid", "data.win.eventdata.logonProcessName", "data.win.eventdata.operation", "data.win.eventdata.parentImage", "data.win.eventdata.processId", "data.win.eventdata.processName", "data.win.eventdata.providerName", "data.win.eventdata.returnCode", "data.win.eventdata.service", "data.win.eventdata.status", "data.win.eventdata.subcategory", "data.win.eventdata.subcategoryGuid", "data.win.eventdata.subcategoryId", "data.win.eventdata.subjectDomainName", "data.win.eventdata.subjectLogonId", "data.win.eventdata.subjectUserName", "data.win.eventdata.subjectUserSid", "data.win.eventdata.targetDomainName", "data.win.eventdata.targetLinkedLogonId", "data.win.eventdata.targetLogonId", "data.win.eventdata.targetUserName", "data.win.eventdata.targetUserSid", "data.win.eventdata.workstationName", "data.win.system.channel", "data.win.system.computer", "data.win.system.eventID", "data.win.system.eventRecordID", "data.win.system.eventSourceName", "data.win.system.keywords", "data.win.system.level", "data.win.system.message", "data.win.system.opcode", "data.win.system.processID", "data.win.system.providerGuid", "data.win.system.providerName", "data.win.system.securityUserID", "data.win.system.severityValue", "data.win.system.userID", "decoder.ftscomment", "decoder.name", "decoder.parent", "full_log", "host", "id", "input", "location", "manager.name", "message", "offset", "predecoder.hostname", "predecoder.program_name", "previous_log", "previous_output", "program_name", "rule.cis", "rule.cve", "rule.description", "rule.gdpr", "rule.gpg13", "rule.groups", "rule.id", "rule.info", "rule.mitre.id", "rule.mitre.tactic", "rule.mitre.technique", "rule.pci_dss", "rule.hipaa", "rule.nist_800_53", "syscheck.audit.effective_user.id", "syscheck.audit.effective_user.name", "syscheck.audit.group.id", "syscheck.audit.group.name", "syscheck.audit.login_user.id", "syscheck.audit.login_user.name", "syscheck.audit.process.id", "syscheck.audit.process.name", "syscheck.audit.process.ppid", "syscheck.audit.user.id", "syscheck.audit.user.name", "syscheck.diff", "syscheck.event", "syscheck.gid_after", "syscheck.gid_before", "syscheck.gname_after", "syscheck.gname_before", "syscheck.inode_after", "syscheck.inode_before", "syscheck.md5_after", "syscheck.md5_before", "syscheck.path", "syscheck.mode", "syscheck.perm_after", "syscheck.perm_before", "syscheck.sha1_after", "syscheck.sha1_before", "syscheck.sha256_after", "syscheck.sha256_before", "syscheck.tags", "syscheck.uid_after", "syscheck.uid_before", "syscheck.uname_after", "syscheck.uname_before", "syscheck.arch", "syscheck.value_name", "syscheck.value_type", "syscheck.changed_attributes", "title", "type", "operation_type" ] }, "mappings": { "dynamic_templates": [ { "string_as_keyword": { "mapping": { "type": "keyword" }, "match_mapping_type": "string" } } ], "date_detection": false, "properties": { "@timestamp": { "type": "date" }, "timestamp": { "type": "date", "format": "date_optional_time||epoch_millis" }, "@version": { "type": "text" }, "agent": { "properties": { "ip": { "type": "keyword" }, "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "manager": { "properties": { "name": { "type": "keyword" } } }, "cluster": { "properties": { "name": { "type": "keyword" }, "node": { "type": "keyword" } } }, "full_log": { "type": "text" }, "previous_log": { "type": "text" }, "GeoLocation": { "properties": { "area_code": { "type": "long" }, "city_name": { "type": "keyword" }, "continent_code": { "type": "text" }, "coordinates": { "type": "double" }, "country_code2": { "type": "text" }, "country_code3": { "type": "text" }, "country_name": { "type": "keyword" }, "dma_code": { "type": "long" }, "ip": { "type": "keyword" }, "latitude": { "type": "double" }, "location": { "type": "geo_point" }, "longitude": { "type": "double" }, "postal_code": { "type": "keyword" }, "real_region_name": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "text" } } }, "host": { "type": "keyword" }, "syscheck": { "properties": { "path": { "type": "keyword" }, "hard_links": { "type": "keyword" }, "mode": { "type": "keyword" }, "sha1_before": { "type": "keyword" }, "sha1_after": { "type": "keyword" }, "uid_before": { "type": "keyword" }, "uid_after": { "type": "keyword" }, "gid_before": { "type": "keyword" }, "gid_after": { "type": "keyword" }, "perm_before": { "type": "keyword" }, "perm_after": { "type": "keyword" }, "md5_after": { "type": "keyword" }, "md5_before": { "type": "keyword" }, "gname_after": { "type": "keyword" }, "gname_before": { "type": "keyword" }, "inode_after": { "type": "keyword" }, "inode_before": { "type": "keyword" }, "mtime_after": { "type": "date", "format": "date_optional_time" }, "mtime_before": { "type": "date", "format": "date_optional_time" }, "uname_after": { "type": "keyword" }, "uname_before": { "type": "keyword" }, "size_before": { "type": "long" }, "size_after": { "type": "long" }, "diff": { "type": "keyword" }, "event": { "type": "keyword" }, "audit": { "properties": { "effective_user": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "group": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "login_user": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } }, "process": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" }, "ppid": { "type": "keyword" } } }, "user": { "properties": { "id": { "type": "keyword" }, "name": { "type": "keyword" } } } } }, "sha256_after": { "type": "keyword" }, "sha256_before": { "type": "keyword" }, "tags": { "type": "keyword" } } }, "location": { "type": "keyword" }, "message": { "type": "text" }, "offset": { "type": "keyword" }, "rule": { "properties": { "description": { "type": "keyword" }, "groups": { "type": "keyword" }, "level": { "type": "long" }, "tsc": { "type": "keyword" }, "id": { "type": "keyword" }, "cve": { "type": "keyword" }, "info": { "type": "keyword" }, "frequency": { "type": "long" }, "firedtimes": { "type": "long" }, "cis": { "type": "keyword" }, "pci_dss": { "type": "keyword" }, "gdpr": { "type": "keyword" }, "gpg13": { "type": "keyword" }, "hipaa": { "type": "keyword" }, "nist_800_53": { "type": "keyword" }, "mail": { "type": "boolean" }, "mitre": { "properties": { "id": { "type": "keyword" }, "tactic": { "type": "keyword" }, "technique": { "type": "keyword" } } } } }, "predecoder": { "properties": { "program_name": { "type": "keyword" }, "timestamp": { "type": "keyword" }, "hostname": { "type": "keyword" } } }, "decoder": { "properties": { "parent": { "type": "keyword" }, "name": { "type": "keyword" }, "ftscomment": { "type": "keyword" }, "fts": { "type": "long" }, "accumulate": { "type": "long" } } }, "data": { "properties": { "audit": { "properties": { "acct": { "type": "keyword" }, "arch": { "type": "keyword" }, "auid": { "type": "keyword" }, "command": { "type": "keyword" }, "cwd": { "type": "keyword" }, "dev": { "type": "keyword" }, "directory": { "properties": { "inode": { "type": "keyword" }, "mode": { "type": "keyword" }, "name": { "type": "keyword" } } }, "egid": { "type": "keyword" }, "enforcing": { "type": "keyword" }, "euid": { "type": "keyword" }, "exe": { "type": "keyword" }, "execve": { "properties": { "a0": { "type": "keyword" }, "a1": { "type": "keyword" }, "a2": { "type": "keyword" }, "a3": { "type": "keyword" } } }, "exit": { "type": "keyword" }, "file": { "properties": { "inode": { "type": "keyword" }, "mode": { "type": "keyword" }, "name": { "type": "keyword" } } }, "fsgid": { "type": "keyword" }, "fsuid": { "type": "keyword" }, "gid": { "type": "keyword" }, "id": { "type": "keyword" }, "key": { "type": "keyword" }, "list": { "type": "keyword" }, "old-auid": { "type": "keyword" }, "old-ses": { "type": "keyword" }, "old_enforcing": { "type": "keyword" }, "old_prom": { "type": "keyword" }, "op": { "type": "keyword" }, "pid": { "type": "keyword" }, "ppid": { "type": "keyword" }, "prom": { "type": "keyword" }, "res": { "type": "keyword" }, "session": { "type": "keyword" }, "sgid": { "type": "keyword" }, "srcip": { "type": "keyword" }, "subj": { "type": "keyword" }, "success": { "type": "keyword" }, "suid": { "type": "keyword" }, "syscall": { "type": "keyword" }, "tty": { "type": "keyword" }, "type": { "type": "keyword" }, "uid": { "type": "keyword" } } }, "protocol": { "type": "keyword" }, "action": { "type": "keyword" }, "srcip": { "type": "keyword" }, "dstip": { "type": "keyword" }, "srcport": { "type": "keyword" }, "dstport": { "type": "keyword" }, "srcuser": { "type": "keyword" }, "dstuser": { "type": "keyword" }, "id": { "type": "keyword" }, "status": { "type": "keyword" }, "data": { "type": "keyword" }, "extra_data": { "type": "keyword" }, "system_name": { "type": "keyword" }, "url": { "type": "keyword" }, "oscap": { "properties": { "check": { "properties": { "description": { "type": "text" }, "id": { "type": "keyword" }, "identifiers": { "type": "text" }, "oval": { "properties": { "id": { "type": "keyword" } } }, "rationale": { "type": "text" }, "references": { "type": "text" }, "result": { "type": "keyword" }, "severity": { "type": "keyword" }, "title": { "type": "keyword" } } }, "scan": { "properties": { "benchmark": { "properties": { "id": { "type": "keyword" } } }, "content": { "type": "keyword" }, "id": { "type": "keyword" }, "profile": { "properties": { "id": { "type": "keyword" }, "title": { "type": "keyword" } } }, "return_code": { "type": "long" }, "score": { "type": "double" } } } } }, "office365": { "properties": { "Actor": { "properties": { "ID": { "type": "keyword" } } }, "UserId": { "type": "keyword" }, "Operation": { "type": "keyword" }, "ClientIP": { "type": "keyword" }, "ResultStatus": { "type": "keyword" }, "Subscription": { "type": "keyword" } } }, "github": { "properties": { "org": { "type": "keyword" }, "actor": { "type": "keyword" }, "action": { "type": "keyword" }, "actor_location": { "properties": { "country_code": { "type": "keyword" } } }, "repo": { "type": "keyword" } } }, "type": { "type": "keyword" }, "netinfo": { "properties": { "iface": { "properties": { "name": { "type": "keyword" }, "mac": { "type": "keyword" }, "adapter": { "type": "keyword" }, "type": { "type": "keyword" }, "state": { "type": "keyword" }, "mtu": { "type": "long" }, "tx_bytes": { "type": "long" }, "rx_bytes": { "type": "long" }, "tx_errors": { "type": "long" }, "rx_errors": { "type": "long" }, "tx_dropped": { "type": "long" }, "rx_dropped": { "type": "long" }, "tx_packets": { "type": "long" }, "rx_packets": { "type": "long" }, "ipv4": { "properties": { "gateway": { "type": "keyword" }, "dhcp": { "type": "keyword" }, "address": { "type": "keyword" }, "netmask": { "type": "keyword" }, "broadcast": { "type": "keyword" }, "metric": { "type": "long" } } }, "ipv6": { "properties": { "gateway": { "type": "keyword" }, "dhcp": { "type": "keyword" }, "address": { "type": "keyword" }, "netmask": { "type": "keyword" }, "broadcast": { "type": "keyword" }, "metric": { "type": "long" } } } } } } }, "os": { "properties": { "hostname": { "type": "keyword" }, "architecture": { "type": "keyword" }, "name": { "type": "keyword" }, "version": { "type": "keyword" }, "codename": { "type": "keyword" }, "major": { "type": "keyword" }, "minor": { "type": "keyword" }, "patch": { "type": "keyword" }, "build": { "type": "keyword" }, "platform": { "type": "keyword" }, "sysname": { "type": "keyword" }, "release": { "type": "keyword" }, "release_version": { "type": "keyword" }, "display_version": { "type": "keyword" } } }, "port": { "properties": { "protocol": { "type": "keyword" }, "local_ip": { "type": "ip" }, "local_port": { "type": "long" }, "remote_ip": { "type": "ip" }, "remote_port": { "type": "long" }, "tx_queue": { "type": "long" }, "rx_queue": { "type": "long" }, "inode": { "type": "long" }, "state": { "type": "keyword" }, "pid": { "type": "long" }, "process": { "type": "keyword" } } }, "hardware": { "properties": { "serial": { "type": "keyword" }, "cpu_name": { "type": "keyword" }, "cpu_cores": { "type": "long" }, "cpu_mhz": { "type": "double" }, "ram_total": { "type": "long" }, "ram_free": { "type": "long" }, "ram_usage": { "type": "long" } } }, "program": { "properties": { "format": { "type": "keyword" }, "name": { "type": "keyword" }, "priority": { "type": "keyword" }, "section": { "type": "keyword" }, "size": { "type": "long" }, "vendor": { "type": "keyword" }, "install_time": { "type": "keyword" }, "version": { "type": "keyword" }, "architecture": { "type": "keyword" }, "multiarch": { "type": "keyword" }, "source": { "type": "keyword" }, "description": { "type": "keyword" }, "location": { "type": "keyword" } } }, "process": { "properties": { "pid": { "type": "long" }, "name": { "type": "keyword" }, "state": { "type": "keyword" }, "ppid": { "type": "long" }, "utime": { "type": "long" }, "stime": { "type": "long" }, "cmd": { "type": "keyword" }, "args": { "type": "keyword" }, "euser": { "type": "keyword" }, "ruser": { "type": "keyword" }, "suser": { "type": "keyword" }, "egroup": { "type": "keyword" }, "sgroup": { "type": "keyword" }, "fgroup": { "type": "keyword" }, "rgroup": { "type": "keyword" }, "priority": { "type": "long" }, "nice": { "type": "long" }, "size": { "type": "long" }, "vm_size": { "type": "long" }, "resident": { "type": "long" }, "share": { "type": "long" }, "start_time": { "type": "long" }, "pgrp": { "type": "long" }, "session": { "type": "long" }, "nlwp": { "type": "long" }, "tgid": { "type": "long" }, "tty": { "type": "long" }, "processor": { "type": "long" } } }, "sca": { "properties": { "type": { "type": "keyword" }, "scan_id": { "type": "keyword" }, "policy": { "type": "keyword" }, "name": { "type": "keyword" }, "file": { "type": "keyword" }, "description": { "type": "keyword" }, "passed": { "type": "integer" }, "failed": { "type": "integer" }, "score": { "type": "long" }, "check": { "properties": { "id": { "type": "keyword" }, "title": { "type": "keyword" }, "description": { "type": "keyword" }, "rationale": { "type": "keyword" }, "remediation": { "type": "keyword" }, "compliance": { "properties": { "cis": { "type": "keyword" }, "cis_csc": { "type": "keyword" }, "pci_dss": { "type": "keyword" }, "hipaa": { "type": "keyword" }, "nist_800_53": { "type": "keyword" } } }, "references": { "type": "keyword" }, "file": { "type": "keyword" }, "directory": { "type": "keyword" }, "registry": { "type": "keyword" }, "process": { "type": "keyword" }, "result": { "type": "keyword" }, "previous_result": { "type": "keyword" }, "reason": { "type": "keyword" }, "status": { "type": "keyword" } } }, "invalid": { "type": "keyword" }, "policy_id": { "type": "keyword" }, "total_checks": { "type": "keyword" } } }, "command": { "type": "keyword" }, "integration": { "type": "keyword" }, "timestamp": { "type": "date" }, "title": { "type": "keyword" }, "uid": { "type": "keyword" }, "virustotal": { "properties": { "description": { "type": "keyword" }, "error": { "type": "keyword" }, "found": { "type": "keyword" }, "malicious": { "type": "keyword" }, "permalink": { "type": "keyword" }, "positives": { "type": "keyword" }, "scan_date": { "type": "keyword" }, "sha1": { "type": "keyword" }, "source": { "properties": { "alert_id": { "type": "keyword" }, "file": { "type": "keyword" }, "md5": { "type": "keyword" }, "sha1": { "type": "keyword" } } }, "total": { "type": "keyword" } } }, "vulnerability": { "properties": { "cve": { "type": "keyword" }, "cvss": { "properties": { "cvss2": { "properties": { "base_score": { "type": "keyword" }, "exploitability_score": { "type": "keyword" }, "impact_score": { "type": "keyword" }, "vector": { "properties": { "access_complexity": { "type": "keyword" }, "attack_vector": { "type": "keyword" }, "authentication": { "type": "keyword" }, "availability": { "type": "keyword" }, "confidentiality_impact": { "type": "keyword" }, "integrity_impact": { "type": "keyword" }, "privileges_required": { "type": "keyword" }, "scope": { "type": "keyword" }, "user_interaction": { "type": "keyword" } } } } }, "cvss3": { "properties": { "base_score": { "type": "keyword" }, "exploitability_score": { "type": "keyword" }, "impact_score": { "type": "keyword" }, "vector": { "properties": { "access_complexity": { "type": "keyword" }, "attack_vector": { "type": "keyword" }, "authentication": { "type": "keyword" }, "availability": { "type": "keyword" }, "confidentiality_impact": { "type": "keyword" }, "integrity_impact": { "type": "keyword" }, "privileges_required": { "type": "keyword" }, "scope": { "type": "keyword" }, "user_interaction": { "type": "keyword" } } } } } } }, "cwe_reference": { "type": "keyword" }, "package": { "properties": { "source": { "type": "keyword" }, "architecture": { "type": "keyword" }, "condition": { "type": "keyword" }, "generated_cpe": { "type": "keyword" }, "name": { "type": "keyword" }, "version": { "type": "keyword" } } }, "published": { "type": "date" }, "updated": { "type": "date" }, "rationale": { "type": "keyword" }, "severity": { "type": "keyword" }, "title": { "type": "keyword" }, "assigner": { "type": "keyword" }, "cve_version": { "type": "keyword" } } }, "aws": { "properties": { "requestParameters": { "properties": { "rules": { "type": "nested" } } }, "source": { "type": "keyword" }, "accountId": { "type": "keyword" }, "log_info": { "properties": { "s3bucket": { "type": "keyword" } } }, "region": { "type": "keyword" }, "bytes": { "type": "long" }, "dstaddr": { "type": "ip" }, "srcaddr": { "type": "ip" }, "end": { "type": "date" }, "start": { "type": "date" }, "source_ip_address": { "type": "ip" }, "service": { "properties": { "count": { "type": "long" }, "action.networkConnectionAction.remoteIpDetails": { "properties": { "ipAddressV4": { "type": "ip" }, "geoLocation": { "type": "geo_point" } } }, "eventFirstSeen": { "type": "date" }, "eventLastSeen": { "type": "date" } } }, "createdAt": { "type": "date" }, "updatedAt": { "type": "date" }, "resource.instanceDetails": { "properties": { "launchTime": { "type": "date" }, "networkInterfaces": { "properties": { "privateIpAddress": { "type": "ip" }, "publicIp": { "type": "ip" } } } } } } }, "cis": { "properties": { "benchmark": { "type": "keyword" }, "error": { "type": "long" }, "fail": { "type": "long" }, "group": { "type": "keyword" }, "notchecked": { "type": "long" }, "pass": { "type": "long" }, "result": { "type": "keyword" }, "rule_title": { "type": "keyword" }, "score": { "type": "long" }, "timestamp": { "type": "keyword" }, "unknown": { "type": "long" } } }, "docker": { "properties": { "Action": { "type": "keyword" }, "Actor": { "properties": { "Attributes": { "properties": { "image": { "type": "keyword" }, "name": { "type": "keyword" } } } } }, "Type": { "type": "keyword" } } }, "gcp": { "properties": { "jsonPayload": { "properties": { "authAnswer": { "type": "keyword" }, "queryName": { "type": "keyword" }, "responseCode": { "type": "keyword" }, "vmInstanceId": { "type": "keyword" }, "vmInstanceName": { "type": "keyword" } } }, "resource": { "properties": { "labels": { "properties": { "location": { "type": "keyword" }, "project_id": { "type": "keyword" }, "source_type": { "type": "keyword" } } }, "type": { "type": "keyword" } } }, "severity": { "type": "keyword" } } }, "osquery": { "properties": { "name": { "type": "keyword" }, "pack": { "type": "keyword" }, "action": { "type": "keyword" }, "calendarTime": { "type": "keyword" } } } } }, "program_name": { "type": "keyword" }, "command": { "type": "keyword" }, "type": { "type": "text" }, "title": { "type": "keyword" }, "id": { "type": "keyword" }, "input": { "properties": { "type": { "type": "keyword" } } }, "previous_output": { "type": "keyword" } } }, "version": 1 }

Load the new configuration and refresh the field list in Stack Management > Index Patterns > wazuh-alerts-*.

curl -XPUT -k -u admin:SecretPassword 'https://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @wazuh-template.json

After that we have the object field listed.

Now, as we can see in the discovery section the field requestParameters.rules is treated as a NestedField.

But, still i have some trouble filtering by the object fields.

And the field in the security events dashboard isn't showing correctly.

I will continue my research.

nico-stefani commented 2 years ago

Issue Update

Also i try mapping all the fields contained in the rule object, with the same results as before.

"requestParameters": {
    "properties": {
        "rules": {
            "type": "nested",
            "properties": {
                "name": {
                    "type": "keyword"
                },
                "priority": {
                    "type": "integer"
                },
                "statement": {
                    "type": "object"
                },
                "action": {
                    "type": "object"
                },
                "ruleLabels": {
                    "type": "nested"
                },
                "visibilityConfig": {
                    "type": "object"
                }
            }
        }
    }
}

nico-stefani commented 2 years ago

Issue Update

I do some changes in the WAF log, split into two records with 4 objects into rules array each. And i ran the the module to ingest the alerts.

/var/ossec/wodles/aws/aws-s3 -b wazuh-aws-wodle-waf -t cloudtrail -s 2022-Aug-19 -p dev -d2

Full JSON log

{ "Records": [ { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxxxx", "arn": "-", "accountId": "XXXXXXXXXXXX", "accessKeyId": "-", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "-", "arn": "-" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-07-05T16:49:18Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-07-05T18:20:27Z", "eventSource": "wafv2.amazonaws.com", "eventName": "UpdateWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "name": "ec-web-acl", "scope": "REGIONAL", "id": "fd4c5ae0-4ddb-4bff-b67e-6786976f465f", "defaultAction": { "allow": {} }, "description": "ec-web-acl", "rules": [ { "name": "X-Application-ID", "priority": 0, "statement": { "byteMatchStatement": { "searchString": { "hb": [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 9, "capacity": 9, "address": 0 }, "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "CONTAINS" } }, "action": { "count": {} }, "ruleLabels": [ { "name": "RulesCustom:ApplicationRappi:Synthetic" } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "X-Application-ID" } }, { "name": "MS-Internos", "priority": 1, "statement": { "andStatement": { "statements": [ { "sizeConstraintStatement": { "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "comparisonOperator": "GE", "size": 0, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, { "notStatement": { "statement": { "byteMatchStatement": { "searchString": { "hb": [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 9, "capacity": 9, "address": 0 }, "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "CONTAINS" } } } } ] } }, "action": { "count": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "MS-Internos" } }, { "name": "some-rules", "priority": 2, "statement": { "ruleGroupReferenceStatement": { "aRN": "arn:aws:wafv2:us-west-2:XXXXXXXXXXXX:regional/rulegroup/some/19dc9c90-b13d-420f-9a6f-fe8995d7bb4c" } }, "overrideAction": { "none": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "some-rules" } }, { "name": "MS-ECOM-PARTNER", "priority": 3, "statement": { "byteMatchStatement": { "searchString": { "hb": [ 47, 101, 99, 111, 109, 45, 112, 97, 114, 116, 110, 101, 114, 115, 47 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 15, "capacity": 15, "address": 0 }, "fieldToMatch": { "uriPath": {} }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "CONTAINS" } }, "action": { "count": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "MS-ECOM-PARTNER" } } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "ec-web-acl" }, "lockToken": "69fed7cb-3bf4-4496-b1c1-9d32e9fd8a93" }, "responseElements": { "nextLockToken": "6bfdbd0f-44aa-4da9-99e6-efee9587ccfd" }, "requestID": "1b4926c1-40a5-4a9c-886f-9b376fb5d4eb", "eventID": "d7219f7a-f2a4-4f05-a7f3-8ba35934ed0d", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "managementEvent": true, "recipientAccountId": "XXXXXXXXXXXX", "eventCategory": "Management", "sessionCredentialFromConsole": "true", "source": "cloudtrail", "aws_account_id": "XXXXXXXXXXXX" }, { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "xxxxxxxxxxxxxxx", "arn": "-", "accountId": "XXXXXXXXXXXX", "accessKeyId": "-", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "-", "arn": "-" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-07-05T16:49:18Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-07-05T18:20:27Z", "eventSource": "wafv2.amazonaws.com", "eventName": "UpdateWebACL", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "name": "ec-web-acl", "scope": "REGIONAL", "id": "fd4c5ae0-4ddb-4bff-b67e-6786976f465f", "defaultAction": { "allow": {} }, "description": "ec-web-acl", "rules": [ { "name": "RL_ALL", "priority": 4, "statement": { "rateBasedStatement": { "limit": 1000, "aggregateKeyType": "FORWARDED_IP", "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" } } }, "action": { "count": {} }, "ruleLabels": [ { "name": "CustomRules:RateLimitMS" } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "HttpFlood" } }, { "name": "Request_From_Country", "priority": 5, "statement": { "andStatement": { "statements": [ { "notStatement": { "statement": { "geoMatchStatement": { "countryCodes": [ "AR", "BR", "CL", "CO", "CR", "EC", "MX", "PE", "UY", "US" ], "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" } } } } }, { "byteMatchStatement": { "searchString": { "hb": [ 47, 114, 101, 115, 116, 97, 117, 114, 97, 110, 116, 115, 45, 98, 117, 115, 47 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 17, "capacity": 17, "address": 0 }, "fieldToMatch": { "uriPath": {} }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "CONTAINS" } } ] } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "Request_From_Country" } }, { "name": "rl-es-proxy", "priority": 6, "statement": { "rateBasedStatement": { "limit": 750, "aggregateKeyType": "FORWARDED_IP", "scopeDownStatement": { "byteMatchStatement": { "searchString": { "hb": [ 47, 97, 112, 105, 47, 101, 115, 45, 112, 114, 111, 120, 121, 47, 115, 101, 97, 114, 99, 104, 47, 118, 50, 47, 112, 114, 111, 100, 117, 99, 116, 115 ], "offset": 0, "isReadOnly": false, "bigEndian": true, "nativeByteOrder": false, "mark": -1, "position": 0, "limit": 32, "capacity": 32, "address": 0 }, "fieldToMatch": { "uriPath": {} }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "positionalConstraint": "STARTS_WITH" } }, "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" } } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "rl-elasticsearch-proxy" } }, { "name": "some-bus-rl", "priority": 7, "statement": { "rateBasedStatement": { "limit": 350, "aggregateKeyType": "FORWARDED_IP", "scopeDownStatement": { "regexPatternSetReferenceStatement": { "aRN": "arn:aws:wafv2:us-west-2:XXXXXXXXXXXX:regional/regexpatternset/toppings-rl/a0350515-8fde-46a5-9f82-d786ff6327d1", "fieldToMatch": { "uriPath": {} }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" } } }, "action": { "block": {} }, "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "some-bus-rl" } } ], "visibilityConfig": { "sampledRequestsEnabled": true, "cloudWatchMetricsEnabled": true, "metricName": "ec-web-acl" }, "lockToken": "69fed7cb-3bf4-4496-b1c1-9d32e9fd8a93" }, "responseElements": { "nextLockToken": "6bfdbd0f-44aa-4da9-99e6-efee9587ccfd" }, "requestID": "1b4926c1-40a5-4a9c-886f-9b376fb5d4eb", "eventID": "d7219f7a-f2a4-4f05-a7f3-8ba35934ed0d", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2019-04-23", "managementEvent": true, "recipientAccountId": "XXXXXXXXXXXX", "eventCategory": "Management", "sessionCredentialFromConsole": "true", "source": "cloudtrail", "aws_account_id": "XXXXXXXXXXXX" } ] }

After that i did some queries through the elastic API:

Using some common field

curl -XGET -k -u admin:SecretPassword 'https://localhost:9200/wazuh-alerts-4.x-*/_search?pretty' -H 'Content-Type: application/json' -d \
'{
  "query": {
    "term": {
      "data.aws.log_info.s3bucket": "wazuh-aws-wodle-waf"
    }
  }
}'

With this the result was the expected, two documents returned.

...
{
  "value": 2,
  "relation": "eq"
}
...

Full Query Result

{ "total": { "value": 2, "relation": "eq" }, "max_score": 0.2876821, "hits": [ { "_index": "wazuh-alerts-4.x-2022.08.19", "_type": "_doc", "_id": "UQGRtoIBpyKf0kHs_yty", "_score": 0.2876821, "_source": { "agent": { "name": "wazuh.manager", "id": "000" }, "manager": { "name": "wazuh.manager" }, "data": { "integration": "aws", "aws": { "eventID": "d7219f7a-f2a4-4f05-a7f3-8ba35934ed0d", "awsRegion": "us-west-2", "eventCategory": "Management", "sessionCredentialFromConsole": "true", "eventVersion": "1.08", "responseElements": { "nextLockToken": "6bfdbd0f-44aa-4da9-99e6-efee9587ccfd" }, "sourceIPAddress": "AWS Internal", "log_info": { "s3bucket": "wazuh-aws-wodle-waf", "log_file": "AWSLogs/166157441623/CloudTrail/us-west-1/2022/08/19/166157441623_CloudTrail_us-west-1_20220819T0000Z_HASDoKlxgfdkdIOa.json.txt" }, "eventSource": "wafv2.amazonaws.com", "requestParameters": { "visibilityConfig": { "cloudWatchMetricsEnabled": "true", "metricName": "ec-web-acl", "sampledRequestsEnabled": "true" }, "scope": "REGIONAL", "name": "ec-web-acl", "description": "ec-web-acl", "rules": [ { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "X-Application-ID", "sampledRequestsEnabled": true }, "name": "X-Application-ID", "statement": { "byteMatchStatement": { "searchString": { "bigEndian": true, "nativeByteOrder": false, "isReadOnly": false, "address": 0, "offset": 0, "limit": 9, "hb": [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "position": 0, "mark": -1, "capacity": 9 }, "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "positionalConstraint": "CONTAINS", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, "action": { "count": {} }, "priority": 0, "ruleLabels": [ { "name": "RulesCustom:ApplicationRappi:Synthetic" } ] }, { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "MS-Internos", "sampledRequestsEnabled": true }, "name": "MS-Internos", "statement": { "andStatement": { "statements": [ { "sizeConstraintStatement": { "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "size": 0, "comparisonOperator": "GE", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, { "notStatement": { "statement": { "byteMatchStatement": { "searchString": { "bigEndian": true, "nativeByteOrder": false, "isReadOnly": false, "address": 0, "offset": 0, "limit": 9, "hb": [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "position": 0, "mark": -1, "capacity": 9 }, "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "positionalConstraint": "CONTAINS", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } } } } ] } }, "action": { "count": {} }, "priority": 1 }, { "overrideAction": { "none": {} }, "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "some-rules", "sampledRequestsEnabled": true }, "name": "some-rules", "statement": { "ruleGroupReferenceStatement": { "aRN": "arn:aws:wafv2:us-west-2:XXXXXXXXXXXX:regional/rulegroup/some/19dc9c90-b13d-420f-9a6f-fe8995d7bb4c" } }, "priority": 2 }, { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "MS-ECOM-PARTNER", "sampledRequestsEnabled": true }, "name": "MS-ECOM-PARTNER", "statement": { "byteMatchStatement": { "searchString": { "bigEndian": true, "nativeByteOrder": false, "isReadOnly": false, "address": 0, "offset": 0, "limit": 15, "hb": [ 47, 101, 99, 111, 109, 45, 112, 97, 114, 116, 110, 101, 114, 115, 47 ], "position": 0, "mark": -1, "capacity": 15 }, "fieldToMatch": { "uriPath": {} }, "positionalConstraint": "CONTAINS", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, "action": { "count": {} }, "priority": 3 } ], "lockToken": "69fed7cb-3bf4-4496-b1c1-9d32e9fd8a93", "id": "fd4c5ae0-4ddb-4bff-b67e-6786976f465f" }, "userAgent": "AWS Internal", "readOnly": "false", "userIdentity": { "accessKeyId": "-", "sessionContext": { "sessionIssuer": { "principalId": "-", "type": "Role", "arn": "-" }, "attributes": { "mfaAuthenticated": "false", "creationDate": "2022-07-05T16:49:18Z" } }, "accountId": "XXXXXXXXXXXX", "principalId": "xxxxxxxxxxxxxxx", "type": "AssumedRole", "arn": "-" }, "eventType": "AwsApiCall", "source": "cloudtrail", "apiVersion": "2019-04-23", "aws_account_id": "166157441623", "requestID": "1b4926c1-40a5-4a9c-886f-9b376fb5d4eb", "eventTime": "2022-07-05T18:20:27Z", "eventName": "UpdateWebACL", "recipientAccountId": "XXXXXXXXXXXX", "managementEvent": "true" } }, "rule": { "firedtimes": 5, "mail": false, "level": 5, "hipaa": [ "164.312.b" ], "pci_dss": [ "10.6.1" ], "tsc": [ "CC7.2", "CC7.3" ], "description": "AWS Cloudtrail: wafv2.amazonaws.com - UpdateWebACL.", "groups": [ "amazon", "aws", "aws_cloudtrail" ], "id": "80202", "nist_800_53": [ "AU.6" ], "gdpr": [ "IV_35.7.d" ] }, "decoder": { "name": "json" }, "input": { "type": "log" }, "@timestamp": "2022-08-19T14:46:27.680Z", "location": "Wazuh-AWS", "id": "1660920387.39312", "timestamp": "2022-08-19T14:46:27.680+0000" } }, { "_index": "wazuh-alerts-4.x-2022.08.19", "_type": "_doc", "_id": "UgGRtoIBpyKf0kHs_yty", "_score": 0.2876821, "_source": { "agent": { "name": "wazuh.manager", "id": "000" }, "manager": { "name": "wazuh.manager" }, "data": { "integration": "aws", "aws": { "eventID": "d7219f7a-f2a4-4f05-a7f3-8ba35934ed0d", "awsRegion": "us-west-2", "eventCategory": "Management", "sessionCredentialFromConsole": "true", "eventVersion": "1.08", "responseElements": { "nextLockToken": "6bfdbd0f-44aa-4da9-99e6-efee9587ccfd" }, "sourceIPAddress": "AWS Internal", "log_info": { "s3bucket": "wazuh-aws-wodle-waf", "log_file": "AWSLogs/166157441623/CloudTrail/us-west-1/2022/08/19/166157441623_CloudTrail_us-west-1_20220819T0000Z_HASDoKlxgfdkdIOa.json.txt" }, "eventSource": "wafv2.amazonaws.com", "requestParameters": { "visibilityConfig": { "cloudWatchMetricsEnabled": "true", "metricName": "ec-web-acl", "sampledRequestsEnabled": "true" }, "scope": "REGIONAL", "name": "ec-web-acl", "description": "ec-web-acl", "rules": [ { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "HttpFlood", "sampledRequestsEnabled": true }, "name": "RL_ALL", "statement": { "rateBasedStatement": { "limit": 1000, "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" }, "aggregateKeyType": "FORWARDED_IP" } }, "action": { "count": {} }, "priority": 4, "ruleLabels": [ { "name": "CustomRules:RateLimitMS" } ] }, { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "Request_From_Country", "sampledRequestsEnabled": true }, "name": "Request_From_Country", "statement": { "andStatement": { "statements": [ { "notStatement": { "statement": { "geoMatchStatement": { "countryCodes": [ "AR", "BR", "CL", "CO", "CR", "EC", "MX", "PE", "UY", "US" ], "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" } } } } }, { "byteMatchStatement": { "searchString": { "bigEndian": true, "nativeByteOrder": false, "isReadOnly": false, "address": 0, "offset": 0, "limit": 17, "hb": [ 47, 114, 101, 115, 116, 97, 117, 114, 97, 110, 116, 115, 45, 98, 117, 115, 47 ], "position": 0, "mark": -1, "capacity": 17 }, "fieldToMatch": { "uriPath": {} }, "positionalConstraint": "CONTAINS", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } } ] } }, "action": { "block": {} }, "priority": 5 }, { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "rl-elasticsearch-proxy", "sampledRequestsEnabled": true }, "name": "rl-es-proxy", "statement": { "rateBasedStatement": { "limit": 750, "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" }, "scopeDownStatement": { "byteMatchStatement": { "searchString": { "bigEndian": true, "nativeByteOrder": false, "isReadOnly": false, "address": 0, "offset": 0, "limit": 32, "hb": [ 47, 97, 112, 105, 47, 101, 115, 45, 112, 114, 111, 120, 121, 47, 115, 101, 97, 114, 99, 104, 47, 118, 50, 47, 112, 114, 111, 100, 117, 99, 116, 115 ], "position": 0, "mark": -1, "capacity": 32 }, "fieldToMatch": { "uriPath": {} }, "positionalConstraint": "STARTS_WITH", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, "aggregateKeyType": "FORWARDED_IP" } }, "action": { "block": {} }, "priority": 6 }, { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "some-bus-rl", "sampledRequestsEnabled": true }, "name": "some-bus-rl", "statement": { "rateBasedStatement": { "limit": 350, "forwardedIPConfig": { "headerName": "X-Forwarded-For", "fallbackBehavior": "MATCH" }, "scopeDownStatement": { "regexPatternSetReferenceStatement": { "fieldToMatch": { "uriPath": {} }, "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ], "aRN": "arn:aws:wafv2:us-west-2:XXXXXXXXXXXX:regional/regexpatternset/toppings-rl/a0350515-8fde-46a5-9f82-d786ff6327d1" } }, "aggregateKeyType": "FORWARDED_IP" } }, "action": { "block": {} }, "priority": 7 } ], "lockToken": "69fed7cb-3bf4-4496-b1c1-9d32e9fd8a93", "id": "fd4c5ae0-4ddb-4bff-b67e-6786976f465f" }, "userAgent": "AWS Internal", "readOnly": "false", "userIdentity": { "accessKeyId": "-", "sessionContext": { "sessionIssuer": { "principalId": "-", "type": "Role", "arn": "-" }, "attributes": { "mfaAuthenticated": "false", "creationDate": "2022-07-05T16:49:18Z" } }, "accountId": "XXXXXXXXXXXX", "principalId": "xxxxxxxxxxxxxxx", "type": "AssumedRole", "arn": "-" }, "eventType": "AwsApiCall", "source": "cloudtrail", "apiVersion": "2019-04-23", "aws_account_id": "166157441623", "requestID": "1b4926c1-40a5-4a9c-886f-9b376fb5d4eb", "eventTime": "2022-07-05T18:20:27Z", "eventName": "UpdateWebACL", "recipientAccountId": "XXXXXXXXXXXX", "managementEvent": "true" } }, "rule": { "firedtimes": 6, "mail": false, "level": 5, "hipaa": [ "164.312.b" ], "pci_dss": [ "10.6.1" ], "tsc": [ "CC7.2", "CC7.3" ], "description": "AWS Cloudtrail: wafv2.amazonaws.com - UpdateWebACL.", "groups": [ "amazon", "aws", "aws_cloudtrail" ], "id": "80202", "nist_800_53": [ "AU.6" ], "gdpr": [ "IV_35.7.d" ] }, "decoder": { "name": "json" }, "input": { "type": "log" }, "@timestamp": "2022-08-19T14:46:27.680Z", "location": "Wazuh-AWS", "id": "1660920387.48832", "timestamp": "2022-08-19T14:46:27.680+0000" } } ] }

Using some field contained into `rules` array

curl -XGET -k -u admin:SecretPassword 'https://localhost:9200/wazuh-alerts-4.x-*/_search?pretty' -H 'Content-Type: application/json' -d \
'{
  "query": {
    "nested": {
      "path": "data.aws.requestParameters.rules",
      "query": {
        "bool": {
          "must": [
            { "match": { "data.aws.requestParameters.rules.name": "X-Application-ID" }}
          ]
        }
      }
    }
  }
}
'

The result was the expected, only one document returned.

...
{
  "value": 1,
  "relation": "eq"
}
...

Full Query Result

{ "total": { "value": 1, "relation": "eq" }, "max_score": 1.2039728, "hits": [ { "_index": "wazuh-alerts-4.x-2022.08.19", "_type": "_doc", "_id": "UQGRtoIBpyKf0kHs_yty", "_score": 1.2039728, "_source": { "agent": { "name": "wazuh.manager", "id": "000" }, "manager": { "name": "wazuh.manager" }, "data": { "integration": "aws", "aws": { "eventID": "d7219f7a-f2a4-4f05-a7f3-8ba35934ed0d", "awsRegion": "us-west-2", "eventCategory": "Management", "sessionCredentialFromConsole": "true", "eventVersion": "1.08", "responseElements": { "nextLockToken": "6bfdbd0f-44aa-4da9-99e6-efee9587ccfd" }, "sourceIPAddress": "AWS Internal", "log_info": { "s3bucket": "wazuh-aws-wodle-waf", "log_file": "AWSLogs/166157441623/CloudTrail/us-west-1/2022/08/19/166157441623_CloudTrail_us-west-1_20220819T0000Z_HASDoKlxgfdkdIOa.json.txt" }, "eventSource": "wafv2.amazonaws.com", "requestParameters": { "visibilityConfig": { "cloudWatchMetricsEnabled": "true", "metricName": "ec-web-acl", "sampledRequestsEnabled": "true" }, "scope": "REGIONAL", "name": "ec-web-acl", "description": "ec-web-acl", "rules": [ { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "X-Application-ID", "sampledRequestsEnabled": true }, "name": "X-Application-ID", "statement": { "byteMatchStatement": { "searchString": { "bigEndian": true, "nativeByteOrder": false, "isReadOnly": false, "address": 0, "offset": 0, "limit": 9, "hb": [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "position": 0, "mark": -1, "capacity": 9 }, "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "positionalConstraint": "CONTAINS", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, "action": { "count": {} }, "priority": 0, "ruleLabels": [ { "name": "RulesCustom:ApplicationRappi:Synthetic" } ] }, { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "MS-Internos", "sampledRequestsEnabled": true }, "name": "MS-Internos", "statement": { "andStatement": { "statements": [ { "sizeConstraintStatement": { "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "size": 0, "comparisonOperator": "GE", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, { "notStatement": { "statement": { "byteMatchStatement": { "searchString": { "bigEndian": true, "nativeByteOrder": false, "isReadOnly": false, "address": 0, "offset": 0, "limit": 9, "hb": [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "position": 0, "mark": -1, "capacity": 9 }, "fieldToMatch": { "singleHeader": { "name": "x-application-id" } }, "positionalConstraint": "CONTAINS", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } } } } ] } }, "action": { "count": {} }, "priority": 1 }, { "overrideAction": { "none": {} }, "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "some-rules", "sampledRequestsEnabled": true }, "name": "some-rules", "statement": { "ruleGroupReferenceStatement": { "aRN": "arn:aws:wafv2:us-west-2:XXXXXXXXXXXX:regional/rulegroup/some/19dc9c90-b13d-420f-9a6f-fe8995d7bb4c" } }, "priority": 2 }, { "visibilityConfig": { "cloudWatchMetricsEnabled": true, "metricName": "MS-ECOM-PARTNER", "sampledRequestsEnabled": true }, "name": "MS-ECOM-PARTNER", "statement": { "byteMatchStatement": { "searchString": { "bigEndian": true, "nativeByteOrder": false, "isReadOnly": false, "address": 0, "offset": 0, "limit": 15, "hb": [ 47, 101, 99, 111, 109, 45, 112, 97, 114, 116, 110, 101, 114, 115, 47 ], "position": 0, "mark": -1, "capacity": 15 }, "fieldToMatch": { "uriPath": {} }, "positionalConstraint": "CONTAINS", "textTransformations": [ { "priority": 0, "type": "LOWERCASE" } ] } }, "action": { "count": {} }, "priority": 3 } ], "lockToken": "69fed7cb-3bf4-4496-b1c1-9d32e9fd8a93", "id": "fd4c5ae0-4ddb-4bff-b67e-6786976f465f" }, "userAgent": "AWS Internal", "readOnly": "false", "userIdentity": { "accessKeyId": "-", "sessionContext": { "sessionIssuer": { "principalId": "-", "type": "Role", "arn": "-" }, "attributes": { "mfaAuthenticated": "false", "creationDate": "2022-07-05T16:49:18Z" } }, "accountId": "XXXXXXXXXXXX", "principalId": "xxxxxxxxxxxxxxx", "type": "AssumedRole", "arn": "-" }, "eventType": "AwsApiCall", "source": "cloudtrail", "apiVersion": "2019-04-23", "aws_account_id": "166157441623", "requestID": "1b4926c1-40a5-4a9c-886f-9b376fb5d4eb", "eventTime": "2022-07-05T18:20:27Z", "eventName": "UpdateWebACL", "recipientAccountId": "XXXXXXXXXXXX", "managementEvent": "true" } }, "rule": { "firedtimes": 5, "mail": false, "level": 5, "hipaa": [ "164.312.b" ], "pci_dss": [ "10.6.1" ], "tsc": [ "CC7.2", "CC7.3" ], "description": "AWS Cloudtrail: wafv2.amazonaws.com - UpdateWebACL.", "groups": [ "amazon", "aws", "aws_cloudtrail" ], "id": "80202", "nist_800_53": [ "AU.6" ], "gdpr": [ "IV_35.7.d" ] }, "decoder": { "name": "json" }, "input": { "type": "log" }, "@timestamp": "2022-08-19T14:46:27.680Z", "location": "Wazuh-AWS", "id": "1660920387.39312", "timestamp": "2022-08-19T14:46:27.680+0000" } } ] }

Conclusion

Is possible filter by rules array objects through the elastic API REST. The next step is try to do the same using the dashboard.

nico-stefani commented 2 years ago

Issue Update

I was able to search from the security events view, using the sentence data.aws.requestParameters.rules:{name:X-Application-ID}.

But still is not possible use a nested field as a filter.

Also i found that nested fields have a limited support https://github.com/elastic/kibana/issues/1084#issuecomment-585178079

mcarmona99 commented 2 years ago

Issue update

I have also replicated this use case. First of all, I have ingested the AWS log just like Nico did following the steps detailed in https://github.com/wazuh/wazuh/issues/14547#issuecomment-1218414156.

As Nico said, the data.aws.requestParameters.rules field is not correctly shown in the dashboard:

Modules > Security events > Dashboard

cap1

And it is correctly shown in the events or discover section:

Modules > Security events > Events

cap2

Discover

cap3

Before updating and loading the modified wazuh-template.json, I realized that the field is appearing in the field list of **Stack Management > Index Patterns > wazuh-alerts-** even if the template is not modified (only refreshing the `wazuh-alerts-`'s field list).

BUT the nested field configuration does need to be applied to avoid this error:

# curl -XGET -k -u admin:admin 'https://localhost:9200/wazuh-alerts-4.x-*/_search?pretty' -H 'Content-Type: application/json' -d \
'{
  "query": {
    "nested": {
      "path": "data.aws.requestParameters.rules",
      "query": {
        "bool": {
          "must": [
            { "match": { "data.aws.requestParameters.rules.name": "X-Application-ID" }}
          ]
        }
      }
    }
  }
}
'
{
  "error" : {
    "root_cause" : [
      {
        "type" : "query_shard_exception",
        "reason" : "failed to create query: [nested] nested object under path [data.aws.requestParameters.rules] is not of nested type",
        "index" : "wazuh-alerts-4.x-2022.08.22",
        "index_uuid" : "x3hwpf7pSBKRUPtYHpY1Sg"
      }
    ],
    "type" : "search_phase_execution_exception",
    "reason" : "all shards failed",
    "phase" : "query",
    "grouped" : true,
    "failed_shards" : [
      {
        "shard" : 0,
        "index" : "wazuh-alerts-4.x-2022.08.22",
        "node" : "C5rMLicuSbe_tKGEiWA06A",
        "reason" : {
          "type" : "query_shard_exception",
          "reason" : "failed to create query: [nested] nested object under path [data.aws.requestParameters.rules] is not of nested type",
          "index" : "wazuh-alerts-4.x-2022.08.22",
          "index_uuid" : "x3hwpf7pSBKRUPtYHpY1Sg",
          "caused_by" : {
            "type" : "illegal_state_exception",
            "reason" : "[nested] nested object under path [data.aws.requestParameters.rules] is not of nested type"
          }
        }
      }
    ]
  },
  "status" : 400
}

cap4

Healthcheck:

# curl -X GET -k -u admin:password 'https://localhost:9200/?pretty'
{
  "name" : "wazuh-indexer-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "hOScwD_hQ2exKf6lh8C1DA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "e505b10357c03ae8d26d675172402f2f2144ef0f",
    "build_date" : "2022-01-14T03:38:06.881862Z",
    "build_snapshot" : false,
    "lucene_version" : "8.10.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

I have made data.aws.requestParameters.rules nested by following the Elasticsearch documentation https://www.elastic.co/guide/en/elasticsearch/reference/current/nested.html and https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-put-mapping.html. IMPORTANT: This step should be done before refreshing the index (the index is refreshed automatically when ingesting the AWS WAF logs).

Making the field nested in the Kibana dev tools:

PUT wazuh-alerts-4.x-2022.08.22/_mapping
{
  "properties": {
    "data":{ 
      "properties":{
        "aws": {
            "properties": {
            "requestParameters": {
                "properties": {
                "rules": {
                    "type": "nested"
                }
                }
            }

            }
      }
    }
     }
  }
}

With this update, the rules field is considered nested and the filter can be applied with the Elastic API, as Nico said:

# curl -XGET -k -u admin:admin 'https://localhost:9200/wazuh-alerts-4.x-*/_search?pretty' -H 'Content-Type: application/json' -d \
'{
  "query": {
    "nested": {
      "path": "data.aws.requestParameters.rules",
      "query": {
        "bool": {
          "must": [
            { "match": { "data.aws.requestParameters.rules.name": "X-Application-ID" }}
          ]
        }
      }
    }
  }
}
'

Response

``` { "took" : 12, "timed_out" : false, "_shards" : { "total" : 3, "successful" : 3, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 1, "relation" : "eq" }, "max_score" : 1.2039728, "hits" : [ { "_index" : "wazuh-alerts-4.x-2022.08.22", "_type" : "_doc", "_id" : "BVIoxYIBCt9y7rhYC957", "_score" : 1.2039728, "_source" : { "cluster" : { "node" : "master-node", "name" : "wazuh" }, "agent" : { "name" : "wazuh-master", "id" : "000" }, "manager" : { "name" : "wazuh-master" }, "data" : { "integration" : "aws", "aws" : { "eventID" : "d7219f7a-f2a4-4f05-a7f3-8ba35934ed0d", "awsRegion" : "us-west-2", "eventCategory" : "Management", "sessionCredentialFromConsole" : "true", "eventVersion" : "1.08", "responseElements" : { "nextLockToken" : "6bfdbd0f-44aa-4da9-99e6-efee9587ccfd" }, "sourceIPAddress" : "AWS Internal", "log_info" : { "s3bucket" : "wazuh-aws-wodle-waf", "log_file" : "AWSLogs/166157441623/CloudTrail/us-west-1/2022/08/19/166157441623_CloudTrail_us-west-1_20220819T0000Z_HASDoKlxgfdkdIOa.json.txt" }, "eventSource" : "wafv2.amazonaws.com", "requestParameters" : { "visibilityConfig" : { "cloudWatchMetricsEnabled" : "true", "metricName" : "ec-web-acl", "sampledRequestsEnabled" : "true" }, "scope" : "REGIONAL", "name" : "ec-web-acl", "description" : "ec-web-acl", "rules" : [ { "visibilityConfig" : { "cloudWatchMetricsEnabled" : true, "metricName" : "X-Application-ID", "sampledRequestsEnabled" : true }, "name" : "X-Application-ID", "statement" : { "byteMatchStatement" : { "searchString" : { "bigEndian" : true, "nativeByteOrder" : false, "isReadOnly" : false, "address" : 0, "offset" : 0, "limit" : 9, "hb" : [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "position" : 0, "mark" : -1, "capacity" : 9 }, "fieldToMatch" : { "singleHeader" : { "name" : "x-application-id" } }, "positionalConstraint" : "CONTAINS", "textTransformations" : [ { "priority" : 0, "type" : "LOWERCASE" } ] } }, "action" : { "count" : { } }, "priority" : 0, "ruleLabels" : [ { "name" : "RulesCustom:ApplicationRappi:Synthetic" } ] }, { "visibilityConfig" : { "cloudWatchMetricsEnabled" : true, "metricName" : "MS-Internos", "sampledRequestsEnabled" : true }, "name" : "MS-Internos", "statement" : { "andStatement" : { "statements" : [ { "sizeConstraintStatement" : { "fieldToMatch" : { "singleHeader" : { "name" : "x-application-id" } }, "size" : 0, "comparisonOperator" : "GE", "textTransformations" : [ { "priority" : 0, "type" : "LOWERCASE" } ] } }, { "notStatement" : { "statement" : { "byteMatchStatement" : { "searchString" : { "bigEndian" : true, "nativeByteOrder" : false, "isReadOnly" : false, "address" : 0, "offset" : 0, "limit" : 9, "hb" : [ 115, 121, 110, 116, 104, 101, 116, 105, 99 ], "position" : 0, "mark" : -1, "capacity" : 9 }, "fieldToMatch" : { "singleHeader" : { "name" : "x-application-id" } }, "positionalConstraint" : "CONTAINS", "textTransformations" : [ { "priority" : 0, "type" : "LOWERCASE" } ] } } } } ] } }, "action" : { "count" : { } }, "priority" : 1 }, { "overrideAction" : { "none" : { } }, "visibilityConfig" : { "cloudWatchMetricsEnabled" : true, "metricName" : "some-rules", "sampledRequestsEnabled" : true }, "name" : "some-rules", "statement" : { "ruleGroupReferenceStatement" : { "aRN" : "arn:aws:wafv2:us-west-2:XXXXXXXXXXXX:regional/rulegroup/some/19dc9c90-b13d-420f-9a6f-fe8995d7bb4c" } }, "priority" : 2 }, { "visibilityConfig" : { "cloudWatchMetricsEnabled" : true, "metricName" : "MS-ECOM-PARTNER", "sampledRequestsEnabled" : true }, "name" : "MS-ECOM-PARTNER", "statement" : { "byteMatchStatement" : { "searchString" : { "bigEndian" : true, "nativeByteOrder" : false, "isReadOnly" : false, "address" : 0, "offset" : 0, "limit" : 15, "hb" : [ 47, 101, 99, 111, 109, 45, 112, 97, 114, 116, 110, 101, 114, 115, 47 ], "position" : 0, "mark" : -1, "capacity" : 15 }, "fieldToMatch" : { "uriPath" : { } }, "positionalConstraint" : "CONTAINS", "textTransformations" : [ { "priority" : 0, "type" : "LOWERCASE" } ] } }, "action" : { "count" : { } }, "priority" : 3 } ], "lockToken" : "69fed7cb-3bf4-4496-b1c1-9d32e9fd8a93", "id" : "fd4c5ae0-4ddb-4bff-b67e-6786976f465f" }, "userAgent" : "AWS Internal", "readOnly" : "false", "userIdentity" : { "accessKeyId" : "-", "sessionContext" : { "sessionIssuer" : { "principalId" : "-", "type" : "Role", "arn" : "-" }, "attributes" : { "mfaAuthenticated" : "false", "creationDate" : "2022-07-05T16:49:18Z" } }, "accountId" : "XXXXXXXXXXXX", "principalId" : "xxxxxxxxxxxxxxx", "type" : "AssumedRole", "arn" : "-" }, "eventType" : "AwsApiCall", "source" : "cloudtrail", "apiVersion" : "2019-04-23", "aws_account_id" : "166157441623", "requestID" : "1b4926c1-40a5-4a9c-886f-9b376fb5d4eb", "eventTime" : "2022-07-05T18:20:27Z", "eventName" : "UpdateWebACL", "recipientAccountId" : "XXXXXXXXXXXX", "managementEvent" : "true" } }, "rule" : { "firedtimes" : 1, "mail" : false, "level" : 3, "hipaa" : [ "164.312.b" ], "pci_dss" : [ "10.6.1" ], "tsc" : [ "CC7.2", "CC7.3" ], "description" : "AWS Cloudtrail: wafv2.amazonaws.com - UpdateWebACL.", "groups" : [ "amazon", "aws", "aws_cloudtrail" ], "id" : "80202", "nist_800_53" : [ "AU.6" ], "gdpr" : [ "IV_35.7.d" ] }, "decoder" : { "name" : "json" }, "input" : { "type" : "log" }, "@timestamp" : "2022-08-22T10:45:07.525Z", "location" : "Wazuh-AWS", "id" : "1661165107.539121", "timestamp" : "2022-08-22T10:45:07.525+0000" } } ] } } ```

I have also tried using the Kibana filters (User interface) and they are working.

For instance, filtering by rules when one of them has its name equal to MS-Internos and when it is RL_ALL (2 different events).

What is not working is the filter in the dashboard section (modules > security events > dashboard). The filter does work in the events section (modules > security events > events).

cap5

cap6

In the events section, the request is a POST request done to /localhost/internal/search/opensearch with the following query in its payload:

{
  "bool": {
    "must": [],
    "filter": [
      {
        "match_all": {}
      },
      {
        "match_phrase": {
          "cluster.name": {
            "query": "wazuh"
          }
        }
      },
      {
        "nested": {
          "path": "data.aws.requestParameters.rules",
          "query": {
            "match_phrase": {
              "data.aws.requestParameters.rules.name": "some-bus-rl"
            }
          }
        }
      },
      {
        "range": {
          "timestamp": {
            "gte": "2022-08-21T11:22:45.411Z",
            "lte": "2022-08-22T11:22:45.411Z",
            "format": "strict_date_optional_time"
          }
        }
      }
    ],
    "should": [],
    "must_not": []
  }
}

In the dashboard section, the request is a POST request done to /localhost/elastic/alerts with the following query in its payload:

{
  "bool": {
    "must": [
      {
        "range": {
          "timestamp": {
            "gte": "now-24h",
            "lte": "now",
            "format": "epoch_millis"
          }
        }
      }
    ],
    "filter": [
      {
        "match_all": {}
      },
      {
        "match_phrase": {
          "cluster.name": {
            "query": "wazuh"
          }
        }
      },
      {
        "match_phrase": {
          "data.aws.requestParameters.rules.name": "some-bus-rl"
        }
      },
      {
        "match_phrase": {
          "cluster.name": {
            "query": "wazuh"
          }
        }
      },
      {
        "match_phrase": {
          "data.aws.requestParameters.rules.name": "some-bus-rl"
        }
      }
    ],
    "should": [],
    "must_not": []
  }
}

As we can see, the query used in the events section to filter by a nested field uses the nested keyword whereas the one of the dashboard section uses the match_phrase keyword. This match_phrase keyword is the one used to filter by standard fields (non-nested). This is why the dashboard is not showing the events properly.

If we have a look at the discover section (outside the Wazuh plugin), we can also see that the filter is working:

In this section, the query used was the following:

{
  "bool": {
    "must": [],
    "filter": [
      {
        "match_all": {}
      },
      {
        "nested": {
          "path": "data.aws.requestParameters.rules",
          "query": {
            "match_phrase": {
              "data.aws.requestParameters.rules.name": "MS-ECOM-PARTNER"
            }
          }
        }
      },
      {
        "range": {
          "timestamp": {
            "gte": "2022-08-21T11:39:29.362Z",
            "lte": "2022-08-22T11:39:29.362Z",
            "format": "strict_date_optional_time"
          }
        }
      }
    ],
    "should": [],
    "must_not": []
  }
}

As we can see, the nested keyword is used, and the query follows the same format used in the events section of the Wazuh plugin.

The conclusion is that we can filter AWS WAF events using fields present in items inside an item list. What appears to be wrong is the way we are making the requests to the Elastic API in the Dashboard section of the Wazuh plugin when a nested field is present.

nico-stefani commented 2 years ago

Issue Update

I was able to index documents with the requested format and these were dynamically mapped without any extra action. The filters and search returned the same results as before.

After send event to indexer get the created mapping.

curl -XGET -k -u admin:SecretPassword 'https://localhost:9200/wazuh-alerts-4.x-2022.08.29?pretty'

As we can see the requestParameters.rules was corretly mapped.

...
"rules" : {
    "type" : "nested",
    "properties" : {
    "action" : {
        "properties" : {
        "block" : {
            "type" : "object"
        },
        "count" : {
            "type" : "object"
        }
        }
    },
    "name" : {
        "type" : "keyword"
    },
    "overrideAction" : {
        "properties" : {
        "none" : {
            "type" : "object"
        }
        }
    },
    "priority" : {
        "type" : "long"
    },
    "ruleLabels" : {
        "properties" : {
        "name" : {
            "type" : "keyword"
        }
        }
    },
    "statement" : {
        "properties" : {
        "andStatement" : {
            "properties" : {
            "statements" : {
                "properties" : {
                "byteMatchStatement" : {
                    "properties" : {
                    "fieldToMatch" : {
                        "properties" : {
                        "uriPath" : {
                            "type" : "object"
                        }
                        }
                    },
                    "positionalConstraint" : {
                        "type" : "keyword"
                    },
                    "searchString" : {
                        "properties" : {
                        "address" : {
                            "type" : "long"
                        },
                        "bigEndian" : {
                            "type" : "boolean"
                        },
                        "capacity" : {
                            "type" : "long"
                        },
                        "hb" : {
                            "type" : "long"
                        },
                        "isReadOnly" : {
                            "type" : "boolean"
                        },
                        "limit" : {
                            "type" : "long"
                        },
                        "mark" : {
                            "type" : "long"
                        },
                        "nativeByteOrder" : {
                            "type" : "boolean"
                        },
                        "offset" : {
                            "type" : "long"
                        },
                        "position" : {
                            "type" : "long"
                        }
                        }
                    },
                    "textTransformations" : {
                        "properties" : {
                        "priority" : {
                            "type" : "long"
                        },
                        "type" : {
                            "type" : "keyword"
                        }
                        }
                    }
                    }
                },
                "notStatement" : {
                    "properties" : {
                    "statement" : {
                        "properties" : {
                        "byteMatchStatement" : {
                            "properties" : {
                            "fieldToMatch" : {
                                "properties" : {
                                "singleHeader" : {
                                    "properties" : {
                                    "name" : {
                                        "type" : "keyword"
                                    }
                                    }
                                }
                                }
                            },
                            "positionalConstraint" : {
                                "type" : "keyword"
                            },
                            "searchString" : {
                                "properties" : {
                                "address" : {
                                    "type" : "long"
                                },
                                "bigEndian" : {
                                    "type" : "boolean"
                                },
                                "capacity" : {
                                    "type" : "long"
                                },
                                "hb" : {
                                    "type" : "long"
                                },
                                "isReadOnly" : {
                                    "type" : "boolean"
                                },
                                "limit" : {
                                    "type" : "long"
                                },
                                "mark" : {
                                    "type" : "long"
                                },
                                "nativeByteOrder" : {
                                    "type" : "boolean"
                                },
                                "offset" : {
                                    "type" : "long"
                                },
                                "position" : {
                                    "type" : "long"
                                }
                                }
                            },
                            "textTransformations" : {
                                "properties" : {
                                "priority" : {
                                    "type" : "long"
                                },
                                "type" : {
                                    "type" : "keyword"
                                }
                                }
                            }
                            }
                        },
                        "geoMatchStatement" : {
                            "properties" : {
                            "countryCodes" : {
                                "type" : "keyword"
                            },
                            "forwardedIPConfig" : {
                                "properties" : {
                                "fallbackBehavior" : {
                                    "type" : "keyword"
                                },
                                "headerName" : {
                                    "type" : "keyword"
                                }
                                }
                            }
                            }
                        }
                        }
                    }
                    }
                },
                "sizeConstraintStatement" : {
                    "properties" : {
                    "comparisonOperator" : {
                        "type" : "keyword"
                    },
                    "fieldToMatch" : {
                        "properties" : {
                        "singleHeader" : {
                            "properties" : {
                            "name" : {
                                "type" : "keyword"
                            }
                            }
                        }
                        }
                    },
                    "size" : {
                        "type" : "long"
                    },
                    "textTransformations" : {
                        "properties" : {
                        "priority" : {
                            "type" : "long"
                        },
                        "type" : {
                            "type" : "keyword"
                        }
                        }
                    }
                    }
                }
                }
            }
            }
        },
        "byteMatchStatement" : {
            "properties" : {
            "fieldToMatch" : {
                "properties" : {
                "singleHeader" : {
                    "properties" : {
                    "name" : {
                        "type" : "keyword"
                    }
                    }
                },
                "uriPath" : {
                    "type" : "object"
                }
                }
            },
            "positionalConstraint" : {
                "type" : "keyword"
            },
            "searchString" : {
                "properties" : {
                "address" : {
                    "type" : "long"
                },
                "bigEndian" : {
                    "type" : "boolean"
                },
                "capacity" : {
                    "type" : "long"
                },
                "hb" : {
                    "type" : "long"
                },
                "isReadOnly" : {
                    "type" : "boolean"
                },
                "limit" : {
                    "type" : "long"
                },
                "mark" : {
                    "type" : "long"
                },
                "nativeByteOrder" : {
                    "type" : "boolean"
                },
                "offset" : {
                    "type" : "long"
                },
                "position" : {
                    "type" : "long"
                }
                }
            },
            "textTransformations" : {
                "properties" : {
                "priority" : {
                    "type" : "long"
                },
                "type" : {
                    "type" : "keyword"
                }
                }
            }
            }
        },
        "rateBasedStatement" : {
            "properties" : {
            "aggregateKeyType" : {
                "type" : "keyword"
            },
            "forwardedIPConfig" : {
                "properties" : {
                "fallbackBehavior" : {
                    "type" : "keyword"
                },
                "headerName" : {
                    "type" : "keyword"
                }
                }
            },
            "limit" : {
                "type" : "long"
            },
            "scopeDownStatement" : {
                "properties" : {
                "byteMatchStatement" : {
                    "properties" : {
                    "fieldToMatch" : {
                        "properties" : {
                        "uriPath" : {
                            "type" : "object"
                        }
                        }
                    },
                    "positionalConstraint" : {
                        "type" : "keyword"
                    },
                    "searchString" : {
                        "properties" : {
                        "address" : {
                            "type" : "long"
                        },
                        "bigEndian" : {
                            "type" : "boolean"
                        },
                        "capacity" : {
                            "type" : "long"
                        },
                        "hb" : {
                            "type" : "long"
                        },
                        "isReadOnly" : {
                            "type" : "boolean"
                        },
                        "limit" : {
                            "type" : "long"
                        },
                        "mark" : {
                            "type" : "long"
                        },
                        "nativeByteOrder" : {
                            "type" : "boolean"
                        },
                        "offset" : {
                            "type" : "long"
                        },
                        "position" : {
                            "type" : "long"
                        }
                        }
                    },
                    "textTransformations" : {
                        "properties" : {
                        "priority" : {
                            "type" : "long"
                        },
                        "type" : {
                            "type" : "keyword"
                        }
                        }
                    }
                    }
                },
                "regexPatternSetReferenceStatement" : {
                    "properties" : {
                    "aRN" : {
                        "type" : "keyword"
                    },
                    "fieldToMatch" : {
                        "properties" : {
                        "uriPath" : {
                            "type" : "object"
                        }
                        }
                    },
                    "textTransformations" : {
                        "properties" : {
                        "priority" : {
                            "type" : "long"
                        },
                        "type" : {
                            "type" : "keyword"
                        }
                        }
                    }
                    }
                }
                }
            }
            }
        },
        "ruleGroupReferenceStatement" : {
            "properties" : {
            "aRN" : {
                "type" : "keyword"
            }
            }
        }
        }
    },
    "visibilityConfig" : {
        "properties" : {
        "cloudWatchMetricsEnabled" : {
            "type" : "boolean"
        },
        "metricName" : {
            "type" : "keyword"
        },
        "sampledRequestsEnabled" : {
            "type" : "boolean"
        }
        }
    }
    }
}
...

Then in Security Events > Events we got the message.

And the field is displayed as nested.

wazuh / wazuh

Investigate how to filter AWS WAF alerts using fields present in the requestParameters.rules item list #14547

Description

Issue Update

Issue Update

Issue Update

Issue Update

Using some common field

Using some field contained into `rules` array

Conclusion

Issue Update

Issue update

Issue Update

wazuh / wazuh

Investigate how to filter AWS WAF alerts using fields present in the requestParameters.rules item list #14547

Description

Issue Update

Issue Update

Issue Update

Issue Update

Using some common field

Using some field contained into rules array

Conclusion

Issue Update

Issue update

Issue Update

Using some field contained into `rules` array