wazuh-ruleset icon indicating copy to clipboard operation
wazuh-ruleset copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Scope Rule 80200 to ^aws$

Open jorlando-tl opened this issue 5 years ago • 4 comments

The current rule for 80200 will match any integration that begins with aws. Would like to scope specific to just aws to support some additional integrations and rules off of them. My specific intent at the moment is to spin rules off of the integration value, aws.c7n.

jorlando-tl avatar Jul 29 '19 17:07 jorlando-tl

Hello @jorlando-tl

I've pushed some commits to resolve conflicts. It could merge in 3.10. Also, In case it's possible, I would like to you send us some Cloud Custodian logs examples.

Best regards, Eva

Lopuiz avatar Aug 02 '19 12:08 Lopuiz

Hi @Lopuiz , I will work to get some scrubbed sample logs for you. In the meantime, I do want to make you aware of a piece of the integration I have already worked on. https://github.com/orlando-jamie/aws-c7n-wazuh-extension. C7n is designed to send it's results to an sqs queue, so I wrote this to pluck messages from the queue and push to wazuh. Right now I am just using the json decoder to ship everything to elasticsearch to build some dashboards, but want to leave room to do some more thoughtful analysis in the ruleset.

Thank You, -Jamie

orlando-jamie avatar Aug 02 '19 12:08 orlando-jamie

Thank you so much for all. I'll take a look at the script.

Regards, Eva

Lopuiz avatar Aug 02 '19 12:08 Lopuiz

Hello @jorlando-tl

Could you do a rebase of 3.10 so that only your modifications appear?

Regards, Eva

Lopuiz avatar Aug 13 '19 09:08 Lopuiz