wazuh-ruleset Wazuh alert fields list

Hi, I'm trying to create an integration system between Wazuh and an Incident Handling tool (like for example TheHive). I would like to keep the implementation the most high-level possible. I thought to map Wazuh alert's fields to IHTool fields; to do this i need a list of possible Wazuh alerts fields but i can't find this anywhere. Could you please help me? Do i have to bring up a Wazuh instance and trigger manually all types of rules/alerts and then analyze all the alerts generated? Is there a better way?

Thanks a lot for your help!

Oct 10 '20 13:10 myasn1k

https://github.com/wazuh/wazuh/blob/master/extensions/elasticsearch/7.x/wazuh-template.json

There are some here but they're not all

Oct 10 '20 15:10 myasn1k

Here are the ones in the upper link + some taken from a session of detection on a windows machine

Number of fields of the subset: 496
GeoLocation.city_name
GeoLocation.continent_code
GeoLocation.country_code2
GeoLocation.country_code3
GeoLocation.country_name
GeoLocation.ip
GeoLocation.postal_code
GeoLocation.real_region_name
GeoLocation.region_name
GeoLocation.timezone
agent.id
agent.ip
agent.name
cluster.name
cluster.node
command
data
data.action
data.audit
data.audit.acct
data.audit.arch
data.audit.auid
data.audit.command
data.audit.cwd
data.audit.dev
data.audit.directory.inode
data.audit.directory.mode
data.audit.directory.name
data.audit.egid
data.audit.enforcing
data.audit.euid
data.audit.exe
data.audit.execve.a0
data.audit.execve.a1
data.audit.execve.a2
data.audit.execve.a3
data.audit.exit
data.audit.file.inode
data.audit.file.mode
data.audit.file.name
data.audit.fsgid
data.audit.fsuid
data.audit.gid
data.audit.id
data.audit.key
data.audit.list
data.audit.old-auid
data.audit.old-ses
data.audit.old_enforcing
data.audit.old_prom
data.audit.op
data.audit.pid
data.audit.ppid
data.audit.prom
data.audit.res
data.audit.session
data.audit.sgid
data.audit.srcip
data.audit.subj
data.audit.success
data.audit.suid
data.audit.syscall
data.audit.tty
data.audit.uid
data.aws.accountId
data.aws.account_id
data.aws.action
data.aws.actor
data.aws.aws_account_id
data.aws.description
data.aws.dstport
data.aws.errorCode
data.aws.errorMessage
data.aws.eventID
data.aws.eventName
data.aws.eventSource
data.aws.eventType
data.aws.id
data.aws.name
data.aws.requestParameters.accessKeyId
data.aws.requestParameters.bucketName
data.aws.requestParameters.gatewayId
data.aws.requestParameters.groupDescription
data.aws.requestParameters.groupId
data.aws.requestParameters.groupName
data.aws.requestParameters.host
data.aws.requestParameters.hostedZoneId
data.aws.requestParameters.instanceId
data.aws.requestParameters.instanceProfileName
data.aws.requestParameters.loadBalancerName
data.aws.requestParameters.loadBalancerPorts
data.aws.requestParameters.masterUserPassword
data.aws.requestParameters.masterUsername
data.aws.requestParameters.name
data.aws.requestParameters.natGatewayId
data.aws.requestParameters.networkAclId
data.aws.requestParameters.path
data.aws.requestParameters.policyName
data.aws.requestParameters.port
data.aws.requestParameters.stackId
data.aws.requestParameters.stackName
data.aws.requestParameters.subnetId
data.aws.requestParameters.subnetIds
data.aws.requestParameters.volumeId
data.aws.requestParameters.vpcId
data.aws.resource.accessKeyDetails.accessKeyId
data.aws.resource.accessKeyDetails.principalId
data.aws.resource.accessKeyDetails.userName
data.aws.resource.instanceDetails.instanceId
data.aws.resource.instanceDetails.instanceState
data.aws.resource.instanceDetails.networkInterfaces.privateDnsName
data.aws.resource.instanceDetails.networkInterfaces.publicDnsName
data.aws.resource.instanceDetails.networkInterfaces.subnetId
data.aws.resource.instanceDetails.networkInterfaces.vpcId
data.aws.resource.instanceDetails.tags.value
data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId
data.aws.responseElements.description
data.aws.responseElements.instanceId
data.aws.responseElements.instances.instanceId
data.aws.responseElements.instancesSet.items.instanceId
data.aws.responseElements.listeners.port
data.aws.responseElements.loadBalancerName
data.aws.responseElements.loadBalancers.vpcId
data.aws.responseElements.loginProfile.userName
data.aws.responseElements.networkAcl.vpcId
data.aws.responseElements.ownerId
data.aws.responseElements.publicIp
data.aws.responseElements.user.userId
data.aws.responseElements.user.userName
data.aws.responseElements.volumeId
data.aws.service.serviceName
data.aws.severity
data.aws.source
data.aws.sourceIPAddress
data.aws.srcport
data.aws.userIdentity.accessKeyId
data.aws.userIdentity.accountId
data.aws.userIdentity.userName
data.aws.vpcEndpointId
data.command
data.data
data.docker.Actor.Attributes.container
data.docker.Actor.Attributes.image
data.docker.Actor.Attributes.name
data.docker.Actor.ID
data.docker.id
data.docker.message
data.docker.status
data.dstip
data.dstport
data.dstuser
data.extra_data
data.hardware.serial
data.id
data.integration
data.netinfo.iface.adapter
data.netinfo.iface.ipv4.address
data.netinfo.iface.ipv6.address
data.netinfo.iface.mac
data.netinfo.iface.name
data.os.architecture
data.os.build
data.os.codename
data.os.hostname
data.os.major
data.os.minor
data.os.name
data.os.platform
data.os.release
data.os.release_version
data.os.sysname
data.os.version
data.oscap.check.description
data.oscap.check.id
data.oscap.check.identifiers
data.oscap.check.oval.id
data.oscap.check.rationale
data.oscap.check.references
data.oscap.check.result
data.oscap.check.severity
data.oscap.check.title
data.oscap.scan.benchmark.id
data.oscap.scan.content
data.oscap.scan.id
data.oscap.scan.profile.id
data.oscap.scan.profile.title
data.osquery.columns.address
data.osquery.columns.command
data.osquery.columns.description
data.osquery.columns.dst_ip
data.osquery.columns.gid
data.osquery.columns.hostname
data.osquery.columns.md5
data.osquery.columns.path
data.osquery.columns.sha1
data.osquery.columns.sha256
data.osquery.columns.src_ip
data.osquery.columns.user
data.osquery.columns.username
data.osquery.name
data.osquery.pack
data.port.process
data.port.protocol
data.port.state
data.process.args
data.process.cmd
data.process.egroup
data.process.euser
data.process.fgroup
data.process.name
data.process.rgroup
data.process.ruser
data.process.sgroup
data.process.state
data.process.suser
data.program.architecture
data.program.description
data.program.format
data.program.location
data.program.multiarch
data.program.name
data.program.priority
data.program.section
data.program.source
data.program.vendor
data.program.version
data.protocol
data.pwd
data.sca
data.sca.check.compliance.cis
data.sca.check.compliance.cis_csc
data.sca.check.compliance.hipaa
data.sca.check.compliance.nist_800_53
data.sca.check.compliance.pci_dss
data.sca.check.compliance.tsc
data.sca.check.description
data.sca.check.directory
data.sca.check.file
data.sca.check.id
data.sca.check.previous_result
data.sca.check.process
data.sca.check.rationale
data.sca.check.reason
data.sca.check.references
data.sca.check.registry
data.sca.check.remediation
data.sca.check.result
data.sca.check.status
data.sca.check.title
data.sca.description
data.sca.failed
data.sca.file
data.sca.invalid
data.sca.name
data.sca.passed
data.sca.policy
data.sca.policy_id
data.sca.scan_id
data.sca.score
data.sca.total_checks
data.sca.type
data.script
data.src_ip
data.src_port
data.srcip
data.srcport
data.srcuser
data.status
data.system_name
data.title
data.tty
data.type
data.uid
data.url
data.virustotal.description
data.virustotal.error
data.virustotal.found
data.virustotal.permalink
data.virustotal.scan_date
data.virustotal.sha1
data.virustotal.source.alert_id
data.virustotal.source.file
data.virustotal.source.md5
data.virustotal.source.sha1
data.vulnerability.assigner
data.vulnerability.cve
data.vulnerability.cve_version
data.vulnerability.cvss.cvss2.base_score
data.vulnerability.cvss.cvss2.exploitability_score
data.vulnerability.cvss.cvss2.impact_score
data.vulnerability.cvss.cvss2.vector.access_complexity
data.vulnerability.cvss.cvss2.vector.attack_vector
data.vulnerability.cvss.cvss2.vector.authentication
data.vulnerability.cvss.cvss2.vector.availability
data.vulnerability.cvss.cvss2.vector.confidentiality_impact
data.vulnerability.cvss.cvss2.vector.integrity_impact
data.vulnerability.cvss.cvss2.vector.privileges_required
data.vulnerability.cvss.cvss2.vector.scope
data.vulnerability.cvss.cvss2.vector.user_interaction
data.vulnerability.cvss.cvss3.base_score
data.vulnerability.cvss.cvss3.exploitability_score
data.vulnerability.cvss.cvss3.impact_score
data.vulnerability.cvss.cvss3.vector.access_complexity
data.vulnerability.cvss.cvss3.vector.attack_vector
data.vulnerability.cvss.cvss3.vector.authentication
data.vulnerability.cvss.cvss3.vector.availability
data.vulnerability.cvss.cvss3.vector.confidentiality_impact
data.vulnerability.cvss.cvss3.vector.integrity_impact
data.vulnerability.cvss.cvss3.vector.privileges_required
data.vulnerability.cvss.cvss3.vector.scope
data.vulnerability.cvss.cvss3.vector.user_interaction
data.vulnerability.cwe_reference
data.vulnerability.package.architecture
data.vulnerability.package.condition
data.vulnerability.package.generated_cpe
data.vulnerability.package.name
data.vulnerability.package.source
data.vulnerability.package.version
data.vulnerability.rationale
data.vulnerability.severity
data.vulnerability.title
data.win.eventdata.accountExpires
data.win.eventdata.auditPolicyChanges
data.win.eventdata.auditPolicyChangesId
data.win.eventdata.authenticationPackageName
data.win.eventdata.binary
data.win.eventdata.category
data.win.eventdata.categoryId
data.win.eventdata.data
data.win.eventdata.deviceName
data.win.eventdata.displayName
data.win.eventdata.elevatedToken
data.win.eventdata.first
data.win.eventdata.homeDirectory
data.win.eventdata.homePath
data.win.eventdata.hr
data.win.eventdata.image
data.win.eventdata.impersonationLevel
data.win.eventdata.ipAddress
data.win.eventdata.ipPort
data.win.eventdata.keyLength
data.win.eventdata.keyName
data.win.eventdata.logonGuid
data.win.eventdata.logonHours
data.win.eventdata.logonProcessName
data.win.eventdata.logonType
data.win.eventdata.memberSid
data.win.eventdata.nTSTATUS
data.win.eventdata.newUacValue
data.win.eventdata.oldUacValue
data.win.eventdata.operation
data.win.eventdata.param1
data.win.eventdata.param10
data.win.eventdata.param11
data.win.eventdata.param2
data.win.eventdata.param3
data.win.eventdata.param4
data.win.eventdata.param5
data.win.eventdata.param6
data.win.eventdata.param7
data.win.eventdata.param8
data.win.eventdata.param9
data.win.eventdata.parentImage
data.win.eventdata.passwordLastSet
data.win.eventdata.primaryGroupId
data.win.eventdata.processId
data.win.eventdata.processName
data.win.eventdata.profilePath
data.win.eventdata.providerName
data.win.eventdata.returnCode
data.win.eventdata.samAccountName
data.win.eventdata.scriptPath
data.win.eventdata.second
data.win.eventdata.service
data.win.eventdata.sourceFileID
data.win.eventdata.sourceLine
data.win.eventdata.sourceTag
data.win.eventdata.status
data.win.eventdata.subcategory
data.win.eventdata.subcategoryGuid
data.win.eventdata.subcategoryId
data.win.eventdata.subjectDomainName
data.win.eventdata.subjectLogonId
data.win.eventdata.subjectUserName
data.win.eventdata.subjectUserSid
data.win.eventdata.targetDomainName
data.win.eventdata.targetLinkedLogonId
data.win.eventdata.targetLogonId
data.win.eventdata.targetSid
data.win.eventdata.targetUserName
data.win.eventdata.targetUserSid
data.win.eventdata.userAccountControl
data.win.eventdata.userParameters
data.win.eventdata.userWorkstations
data.win.eventdata.virtualAccount
data.win.eventdata.volumeName
data.win.eventdata.workstationName
data.win.system.channel
data.win.system.computer
data.win.system.eventID
data.win.system.eventRecordID
data.win.system.eventSourceName
data.win.system.keywords
data.win.system.level
data.win.system.message
data.win.system.opcode
data.win.system.processID
data.win.system.providerGuid
data.win.system.providerName
data.win.system.securityUserID
data.win.system.severityValue
data.win.system.systemTime
data.win.system.task
data.win.system.threadID
data.win.system.userID
data.win.system.version
decoder.ftscomment
decoder.name
decoder.parent
full_log
host
id
input
location
manager.name
message
offset
predecoder.hostname
predecoder.program_name
predecoder.timestamp
previous_log
previous_output
program_name
rule.cis
rule.cis_csc
rule.cve
rule.description
rule.firedtimes
rule.gdpr
rule.gpg13
rule.groups
rule.hipaa
rule.id
rule.info
rule.level
rule.mail
rule.mitre.id
rule.mitre.tactic
rule.mitre.technique
rule.nist_800_53
rule.pci_dss
rule.tsc
syscheck.attrs_after
syscheck.audit.effective_user.id
syscheck.audit.effective_user.name
syscheck.audit.group.id
syscheck.audit.group.name
syscheck.audit.login_user.id
syscheck.audit.login_user.name
syscheck.audit.process.id
syscheck.audit.process.name
syscheck.audit.process.ppid
syscheck.audit.user.id
syscheck.audit.user.name
syscheck.changed_attributes
syscheck.diff
syscheck.event
syscheck.gid_after
syscheck.gid_before
syscheck.gname_after
syscheck.gname_before
syscheck.inode_after
syscheck.inode_before
syscheck.md5_after
syscheck.md5_before
syscheck.mode
syscheck.mtime_after
syscheck.mtime_before
syscheck.path
syscheck.perm_after
syscheck.perm_before
syscheck.sha1_after
syscheck.sha1_before
syscheck.sha256_after
syscheck.sha256_before
syscheck.size_after
syscheck.size_before
syscheck.tags
syscheck.uid_after
syscheck.uid_before
syscheck.uname_after
syscheck.uname_before
syscheck.win_perm_after
timestamp
title
type

Oct 10 '20 15:10 myasn1k

Executing grep -R '<order>.*</order>' in wazuh-ruleset folder and merging the two sets of strings i found this (not sure if is correct, maybe fields aren't complete in order tags):

Total fields: 1165

1NFI
1NMW
AVDets
AccessRequested
Action
Analyzer
AnalyzerContentCreationDate
AnalyzerContentVersion
AnalyzerDetectionMethod
AnalyzerHostName
AnalyzerName
AnalyzerRuleName
AnalyzerVersion
AttackVectorType
BladeName
Broken
BytesReceived
BytesSent
Cat
Category
CfgSvcLevel
Child1NFI
Child1NMW
ChildAVDets
ChildBroken
ChildCat
ChildClass
ChildCompany
ChildDriveType
ChildExeType
ChildFlags
ChildHash
ChildHeurFI
ChildImageType
ChildJIDFI
ChildJIDMW
ChildMWName
ChildPath
ChildPrevLastDay
ChildPrevalence
ChildSkeptic
ChildStatus
ChildValidSig
Class
ClientCat
Company
Cookies
DetId
DetectedUTC
Direction
DriveType
DurationBeforeDetection
EventID
ExeType
GMTTime
GeoLocation.city_name
GeoLocation.continent_code
GeoLocation.country_code2
GeoLocation.country_code3
GeoLocation.country_name
GeoLocation.ip
GeoLocation.postal_code
GeoLocation.real_region_name
GeoLocation.region_name
GeoLocation.timezone
Hash
HeurFI
HostName
IP
ImageType
JIDFI
JIDMW
Key
LEEFversion
LocalIp
LocalPort
LoggedUser
MPPE_key_strength
MUID
MWName
NaturalLangDescription
NumCacheClassifiedElements
Number of fields of the subset: 496
OCS_Exec
OCS_Name
OCS_Version
Op
OperationFlags
PECreationSource
PID
Params
Parent1NFI
Parent1NMW
ParentAVDets
ParentBroken
ParentCat
ParentClass
ParentCompany
ParentDriveType
ParentExeType
ParentFlags
ParentHash
ParentHeurFI
ParentImageType
ParentJIDFI
ParentJIDMW
ParentMWName
ParentPID
ParentPath
ParentPrevLastDay
ParentPrevalence
ParentSkeptic
ParentStatus
ParentValidSig
Path
PolicyName
Port
PrevLastDay
Prevalence
Product
ProductVersion
Protocol
RealSvcLevel
Reason
RegAction
RegKey
ResolutionTime
ResponseCat
ResponseError
ServiceLevel
Severity
Skeptic
SourceAccessTime
SourceCreateTime
SourceFilePath
SourceFileSize
SourceModifyTime
SourceProcessHash
SourceProcessName
SourceProcessSigned
SourceProcessSigner
SourceProcessTrusted
SourceUserName
TargetFileName
TargetHostName
TargetName
TargetPath
TargetSigned
TargetTrusted
TargetUserName
ThreatActionTaken
ThreatCategory
ThreatEventID
ThreatHandled
ThreatName
ThreatSeverity
ThreatType
Timeout
Timezone
ToastResult
URL
ValidSig
Value
ValueData
Vendor
WinningTech
accesses
account
account_domain
account_name
action
action_flags
action_src
actionflags
address
after
agent.cur_version
agent.id
agent.ip
agent.name
agent.new_version
agent_guid
app
appName
app_up
application
arch
arg
assembly_id
attack
attack.name
audit.acct
audit.arch
audit.auid
audit.command
audit.cwd
audit.dev
audit.directory.inode
audit.directory.mode
audit.directory.name
audit.egid
audit.enforcing
audit.euid
audit.exe
audit.execve.a0
audit.execve.a1
audit.execve.a2
audit.execve.a3
audit.execve.a4
audit.execve.a5
audit.execve.a6
audit.execve.a7
audit.exit
audit.file.inode
audit.file.mode
audit.file.name
audit.fsgid
audit.fsuid
audit.gid
audit.id
audit.key
audit.list
audit.old-auid
audit.old-ses
audit.old_enforcing
audit.old_prom
audit.op
audit.pid
audit.ppid
audit.prom
audit.res
audit.session
audit.sgid
audit.srcip
audit.subj
audit.success
audit.suid
audit.syscall
audit.tty
audit.type
audit.uid
auth_method
average_rate
before
block
burst_rate
bytes
bytes_from_client
bytes_from_server
bytes_received
bytes_sent
c
call_stack
caller_computer
cat
category
client_dyn_ip
cluster.name
cluster.node
code
command
community
conn_direction
connection
content_type
context_ID
context_num
contextnum
cookiei
cookier
cumulative_count
cylance_events.classification
cylance_events.cylancescore
cylance_events.detectedby
cylance_events.devicename
cylance_events.eventstatus
cylance_events.everrun
cylance_events.filepath
cylance_events.md5
cylance_events.running
cylance_events.serialnumber
cylance_events.sha256
cylance_threats.access_time
cylance_threats.auto_run
cylance_threats.av_industry
cylance_threats.cert_issuer
cylance_threats.cert_publisher
cylance_threats.cert_subject
cylance_threats.cert_timestamp
cylance_threats.classification
cylance_threats.company_name
cylance_threats.copyright
cylance_threats.create_time
cylance_threats.cylance_score
cylance_threats.description
cylance_threats.detected_by
cylance_threats.device_name
cylance_threats.drive_type
cylance_threats.ever_run
cylance_threats.file_name
cylance_threats.file_owner
cylance_threats.file_path
cylance_threats.file_size
cylance_threats.file_status
cylance_threats.file_version
cylance_threats.first_found
cylance_threats.global_quarantined
cylance_threats.last_found
cylance_threats.md5
cylance_threats.modification_time
cylance_threats.product_name
cylance_threats.running
cylance_threats.safelisted
cylance_threats.serial_number
cylance_threats.sha256
cylance_threats.signature_status
cylance_threats.signed
data
data.action
data.audit
data.audit.acct
data.audit.arch
data.audit.auid
data.audit.command
data.audit.cwd
data.audit.dev
data.audit.directory.inode
data.audit.directory.mode
data.audit.directory.name
data.audit.egid
data.audit.enforcing
data.audit.euid
data.audit.exe
data.audit.execve.a0
data.audit.execve.a1
data.audit.execve.a2
data.audit.execve.a3
data.audit.exit
data.audit.file.inode
data.audit.file.mode
data.audit.file.name
data.audit.fsgid
data.audit.fsuid
data.audit.gid
data.audit.id
data.audit.key
data.audit.list
data.audit.old-auid
data.audit.old-ses
data.audit.old_enforcing
data.audit.old_prom
data.audit.op
data.audit.pid
data.audit.ppid
data.audit.prom
data.audit.res
data.audit.session
data.audit.sgid
data.audit.srcip
data.audit.subj
data.audit.success
data.audit.suid
data.audit.syscall
data.audit.tty
data.audit.uid
data.aws.accountId
data.aws.account_id
data.aws.action
data.aws.actor
data.aws.aws_account_id
data.aws.description
data.aws.dstport
data.aws.errorCode
data.aws.errorMessage
data.aws.eventID
data.aws.eventName
data.aws.eventSource
data.aws.eventType
data.aws.id
data.aws.name
data.aws.requestParameters.accessKeyId
data.aws.requestParameters.bucketName
data.aws.requestParameters.gatewayId
data.aws.requestParameters.groupDescription
data.aws.requestParameters.groupId
data.aws.requestParameters.groupName
data.aws.requestParameters.host
data.aws.requestParameters.hostedZoneId
data.aws.requestParameters.instanceId
data.aws.requestParameters.instanceProfileName
data.aws.requestParameters.loadBalancerName
data.aws.requestParameters.loadBalancerPorts
data.aws.requestParameters.masterUserPassword
data.aws.requestParameters.masterUsername
data.aws.requestParameters.name
data.aws.requestParameters.natGatewayId
data.aws.requestParameters.networkAclId
data.aws.requestParameters.path
data.aws.requestParameters.policyName
data.aws.requestParameters.port
data.aws.requestParameters.stackId
data.aws.requestParameters.stackName
data.aws.requestParameters.subnetId
data.aws.requestParameters.subnetIds
data.aws.requestParameters.volumeId
data.aws.requestParameters.vpcId
data.aws.resource.accessKeyDetails.accessKeyId
data.aws.resource.accessKeyDetails.principalId
data.aws.resource.accessKeyDetails.userName
data.aws.resource.instanceDetails.instanceId
data.aws.resource.instanceDetails.instanceState
data.aws.resource.instanceDetails.networkInterfaces.privateDnsName
data.aws.resource.instanceDetails.networkInterfaces.publicDnsName
data.aws.resource.instanceDetails.networkInterfaces.subnetId
data.aws.resource.instanceDetails.networkInterfaces.vpcId
data.aws.resource.instanceDetails.tags.value
data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId
data.aws.responseElements.description
data.aws.responseElements.instanceId
data.aws.responseElements.instances.instanceId
data.aws.responseElements.instancesSet.items.instanceId
data.aws.responseElements.listeners.port
data.aws.responseElements.loadBalancerName
data.aws.responseElements.loadBalancers.vpcId
data.aws.responseElements.loginProfile.userName
data.aws.responseElements.networkAcl.vpcId
data.aws.responseElements.ownerId
data.aws.responseElements.publicIp
data.aws.responseElements.user.userId
data.aws.responseElements.user.userName
data.aws.responseElements.volumeId
data.aws.service.serviceName
data.aws.severity
data.aws.source
data.aws.sourceIPAddress
data.aws.srcport
data.aws.userIdentity.accessKeyId
data.aws.userIdentity.accountId
data.aws.userIdentity.userName
data.aws.vpcEndpointId
data.command
data.data
data.docker.Actor.Attributes.container
data.docker.Actor.Attributes.image
data.docker.Actor.Attributes.name
data.docker.Actor.ID
data.docker.id
data.docker.message
data.docker.status
data.dstip
data.dstport
data.dstuser
data.extra_data
data.hardware.serial
data.id
data.integration
data.netinfo.iface.adapter
data.netinfo.iface.ipv4.address
data.netinfo.iface.ipv6.address
data.netinfo.iface.mac
data.netinfo.iface.name
data.os.architecture
data.os.build
data.os.codename
data.os.hostname
data.os.major
data.os.minor
data.os.name
data.os.platform
data.os.release
data.os.release_version
data.os.sysname
data.os.version
data.oscap.check.description
data.oscap.check.id
data.oscap.check.identifiers
data.oscap.check.oval.id
data.oscap.check.rationale
data.oscap.check.references
data.oscap.check.result
data.oscap.check.severity
data.oscap.check.title
data.oscap.scan.benchmark.id
data.oscap.scan.content
data.oscap.scan.id
data.oscap.scan.profile.id
data.oscap.scan.profile.title
data.osquery.columns.address
data.osquery.columns.command
data.osquery.columns.description
data.osquery.columns.dst_ip
data.osquery.columns.gid
data.osquery.columns.hostname
data.osquery.columns.md5
data.osquery.columns.path
data.osquery.columns.sha1
data.osquery.columns.sha256
data.osquery.columns.src_ip
data.osquery.columns.user
data.osquery.columns.username
data.osquery.name
data.osquery.pack
data.port.process
data.port.protocol
data.port.state
data.process.args
data.process.cmd
data.process.egroup
data.process.euser
data.process.fgroup
data.process.name
data.process.rgroup
data.process.ruser
data.process.sgroup
data.process.state
data.process.suser
data.program.architecture
data.program.description
data.program.format
data.program.location
data.program.multiarch
data.program.name
data.program.priority
data.program.section
data.program.source
data.program.vendor
data.program.version
data.protocol
data.pwd
data.sca
data.sca.check.compliance.cis
data.sca.check.compliance.cis_csc
data.sca.check.compliance.hipaa
data.sca.check.compliance.nist_800_53
data.sca.check.compliance.pci_dss
data.sca.check.compliance.tsc
data.sca.check.description
data.sca.check.directory
data.sca.check.file
data.sca.check.id
data.sca.check.previous_result
data.sca.check.process
data.sca.check.rationale
data.sca.check.reason
data.sca.check.references
data.sca.check.registry
data.sca.check.remediation
data.sca.check.result
data.sca.check.status
data.sca.check.title
data.sca.description
data.sca.failed
data.sca.file
data.sca.invalid
data.sca.name
data.sca.passed
data.sca.policy
data.sca.policy_id
data.sca.scan_id
data.sca.score
data.sca.total_checks
data.sca.type
data.script
data.src_ip
data.src_port
data.srcip
data.srcport
data.srcuser
data.status
data.system_name
data.title
data.tty
data.type
data.uid
data.url
data.virustotal.description
data.virustotal.error
data.virustotal.found
data.virustotal.permalink
data.virustotal.scan_date
data.virustotal.sha1
data.virustotal.source.alert_id
data.virustotal.source.file
data.virustotal.source.md5
data.virustotal.source.sha1
data.vulnerability.assigner
data.vulnerability.cve
data.vulnerability.cve_version
data.vulnerability.cvss.cvss2.base_score
data.vulnerability.cvss.cvss2.exploitability_score
data.vulnerability.cvss.cvss2.impact_score
data.vulnerability.cvss.cvss2.vector.access_complexity
data.vulnerability.cvss.cvss2.vector.attack_vector
data.vulnerability.cvss.cvss2.vector.authentication
data.vulnerability.cvss.cvss2.vector.availability
data.vulnerability.cvss.cvss2.vector.confidentiality_impact
data.vulnerability.cvss.cvss2.vector.integrity_impact
data.vulnerability.cvss.cvss2.vector.privileges_required
data.vulnerability.cvss.cvss2.vector.scope
data.vulnerability.cvss.cvss2.vector.user_interaction
data.vulnerability.cvss.cvss3.base_score
data.vulnerability.cvss.cvss3.exploitability_score
data.vulnerability.cvss.cvss3.impact_score
data.vulnerability.cvss.cvss3.vector.access_complexity
data.vulnerability.cvss.cvss3.vector.attack_vector
data.vulnerability.cvss.cvss3.vector.authentication
data.vulnerability.cvss.cvss3.vector.availability
data.vulnerability.cvss.cvss3.vector.confidentiality_impact
data.vulnerability.cvss.cvss3.vector.integrity_impact
data.vulnerability.cvss.cvss3.vector.privileges_required
data.vulnerability.cvss.cvss3.vector.scope
data.vulnerability.cvss.cvss3.vector.user_interaction
data.vulnerability.cwe_reference
data.vulnerability.package.architecture
data.vulnerability.package.condition
data.vulnerability.package.generated_cpe
data.vulnerability.package.name
data.vulnerability.package.source
data.vulnerability.package.version
data.vulnerability.rationale
data.vulnerability.severity
data.vulnerability.title
data.win.eventdata.accountExpires
data.win.eventdata.auditPolicyChanges
data.win.eventdata.auditPolicyChangesId
data.win.eventdata.authenticationPackageName
data.win.eventdata.binary
data.win.eventdata.category
data.win.eventdata.categoryId
data.win.eventdata.data
data.win.eventdata.deviceName
data.win.eventdata.displayName
data.win.eventdata.elevatedToken
data.win.eventdata.first
data.win.eventdata.homeDirectory
data.win.eventdata.homePath
data.win.eventdata.hr
data.win.eventdata.image
data.win.eventdata.impersonationLevel
data.win.eventdata.ipAddress
data.win.eventdata.ipPort
data.win.eventdata.keyLength
data.win.eventdata.keyName
data.win.eventdata.logonGuid
data.win.eventdata.logonHours
data.win.eventdata.logonProcessName
data.win.eventdata.logonType
data.win.eventdata.memberSid
data.win.eventdata.nTSTATUS
data.win.eventdata.newUacValue
data.win.eventdata.oldUacValue
data.win.eventdata.operation
data.win.eventdata.param1
data.win.eventdata.param10
data.win.eventdata.param11
data.win.eventdata.param2
data.win.eventdata.param3
data.win.eventdata.param4
data.win.eventdata.param5
data.win.eventdata.param6
data.win.eventdata.param7
data.win.eventdata.param8
data.win.eventdata.param9
data.win.eventdata.parentImage
data.win.eventdata.passwordLastSet
data.win.eventdata.primaryGroupId
data.win.eventdata.processId
data.win.eventdata.processName
data.win.eventdata.profilePath
data.win.eventdata.providerName
data.win.eventdata.returnCode
data.win.eventdata.samAccountName
data.win.eventdata.scriptPath
data.win.eventdata.second
data.win.eventdata.service
data.win.eventdata.sourceFileID
data.win.eventdata.sourceLine
data.win.eventdata.sourceTag
data.win.eventdata.status
data.win.eventdata.subcategory
data.win.eventdata.subcategoryGuid
data.win.eventdata.subcategoryId
data.win.eventdata.subjectDomainName
data.win.eventdata.subjectLogonId
data.win.eventdata.subjectUserName
data.win.eventdata.subjectUserSid
data.win.eventdata.targetDomainName
data.win.eventdata.targetLinkedLogonId
data.win.eventdata.targetLogonId
data.win.eventdata.targetSid
data.win.eventdata.targetUserName
data.win.eventdata.targetUserSid
data.win.eventdata.userAccountControl
data.win.eventdata.userParameters
data.win.eventdata.userWorkstations
data.win.eventdata.virtualAccount
data.win.eventdata.volumeName
data.win.eventdata.workstationName
data.win.system.channel
data.win.system.computer
data.win.system.eventID
data.win.system.eventRecordID
data.win.system.eventSourceName
data.win.system.keywords
data.win.system.level
data.win.system.message
data.win.system.opcode
data.win.system.processID
data.win.system.providerGuid
data.win.system.providerName
data.win.system.securityUserID
data.win.system.severityValue
data.win.system.systemTime
data.win.system.task
data.win.system.threadID
data.win.system.userID
data.win.system.version
days
decoder.ftscomment
decoder.name
decoder.parent
defender.action
defender.category
defender.detectionsource
defender.detectiontype
defender.id
defender.name
defender.path
defender.pathfound
defender.processname
defender.severity
description
destination_zone
devTime
devTimeFormat
device_name
dg_hier_level_1
dg_hier_level_1_to_dg_hier_level_4
dg_hier_level_2
dg_hier_level_3
dg_hier_level_4
docker.level
docker.message
domain
dpkg_status
dst
dstMac
dst_ip
dst_location
dst_nat_rule_name
dst_port
dst_user
dst_vm_uuid
dst_zone
dstip
dstname
dstport
dstuser
duration
encrypted
error
error_code
euid
eventid
existing_arp
extra_data
firewall_name
flags
fragment_id
from_level
full_log
fw
fw_action
fw_subproduct
generated_time
gid
group
hdrlen
hll_key
home
host
host_ip
hostname
http/2_connection
icm_type
icmp_id
icmp_type
id
identHostName
identSrc
identity_guard.authenticationtype
identity_guard.defaultpassword
identity_guard.id
identity_guard.type
if_name
ifdir
ifname
ike
inbound_interface
input
int_mac_address
interface
inzone
ip
ip.address
ip_address
jenkins.action
jenkins.component
jenkins.plugin
jenkins.severity
key
layer_name
layer_uuid
ldap_data.Department
ldap_data.SecurityGroup
ldap_data.Username
ldap_data.code
ldap_data.comment
ldap_data.error_message
ldap_data.ldaperr
learning
level
limit
location
log
log_action
logid
logname
logon_type
loguid
m
mac_address
machine_name
manager.name
mapped_dst_ip
mapped_dst_port
mapped_src_ip
mapped_src_port
mariadb.action
mariadb.connectionid
mariadb.database
mariadb.host
mariadb.info
mariadb.ip
mariadb.log
mariadb.object
mariadb.operation
mariadb.queryid
mariadb.resource
mariadb.retcode
mariadb.type
mariadb.username
match_id
max_average_rate
max_burst_rate
message
methods
module
module_id
mongodb.component
mongodb.connections
mongodb.context
mongodb.database
mongodb.nconnection
mongodb.severity
monitor_tag
msg
msgid
n
nat_addtnl_rulenum
nat_dst_ip
nat_dst_port
nat_dstip
nat_dstport
nat_rulenum
nat_src_ip
nat_src_port
nat_srcip
nat_srcport
nested_application
new_arp
number
object
offset
origin
origin1
origin2
originsicname
os.name
oscap.check.description
oscap.check.id
oscap.check.identifiers
oscap.check.oval.id
oscap.check.rationale
oscap.check.references
oscap.check.result
oscap.check.severity
oscap.check.title
oscap.scan.benchmark.id
oscap.scan.content
oscap.scan.id
oscap.scan.profile.id
oscap.scan.profile.title
oscap.scan.return_code
oscap.scan.score
outbound_interface
outzone
package
packet_incoming_interface
packets
packets_from_client
packets_from_serve
packets_received
packets_sent
parent_rule
parent_session_id
parent_start_time
pc
peer_gateway
percentage
pktlen
policy_id_tag
policy_name
predecoder.hostname
predecoder.program_name
predecoder.timestamp
previous_log
previous_output
pri
process
product
product_family
product_name
product_version
program_name
proto
protocol
protocol_id
protocol_name
pwd
qualysguard.created
qualysguard.dns_hostname
qualysguard.due_date
qualysguard.instance
qualysguard.ip
qualysguard.modified
qualysguard.netbios_hostname
qualysguard.owner
qualysguard.port
qualysguard.qid
qualysguard.resolved
qualysguard.severity
qualysguard.state
qualysguard.ticket
qualysguard.vulnerability_title
rate_ID
reason
receive_time
reject_category
remote-peer
remote_peer
resource
roles
rule.cis
rule.cis_csc
rule.cve
rule.description
rule.firedtimes
rule.gdpr
rule.gpg13
rule.groups
rule.hipaa
rule.id
rule.info
rule.level
rule.mail
rule.mitre.id
rule.mitre.tactic
rule.mitre.technique
rule.nist_800_53
rule.pci_dss
rule.tsc
rule_action
rule_name
rule_uid
running
s_port
scheme
score
script
sctp_association_id
sctp_chunks
sctp_chunks_received
sctp_chunks_sent
security_id
sequence_number
sequencenum
serial_number
server
service
service_id
service_name
session
session_end_reason
session_id
session_id_32
severity
shell
size
sn
source
source_zone
sqlserver.configuredlevel
sqlserver.dbname<
sqlserver.effectivelevel
sqlserver.error
sqlserver.errorhex
sqlserver.fsaccesssharename<
sqlserver.library
sqlserver.library<
sqlserver.procedure<
sqlserver.processid<
sqlserver.severity
sqlserver.state<
src
srcMac
src_ip
src_location
src_mac
src_nat_rule_name
src_port
src_user
src_vm_uuid
src_zone
srchost
srcip
srcip2
srcip<
srcport
srcuser
srcuser<
start_time
status
sub_cat
subcat
subject.account_domain
subject.account_name
subject.logon_id
subject.security_id
syscheck.attrs_after
syscheck.audit.effective_user.id
syscheck.audit.effective_user.name
syscheck.audit.group.id
syscheck.audit.group.name
syscheck.audit.login_user.id
syscheck.audit.login_user.name
syscheck.audit.process.id
syscheck.audit.process.name
syscheck.audit.process.ppid
syscheck.audit.user.id
syscheck.audit.user.name
syscheck.changed_attributes
syscheck.diff
syscheck.event
syscheck.gid_after
syscheck.gid_before
syscheck.gname_after
syscheck.gname_before
syscheck.inode_after
syscheck.inode_before
syscheck.md5_after
syscheck.md5_before
syscheck.mode
syscheck.mtime_after
syscheck.mtime_before
syscheck.path
syscheck.perm_after
syscheck.perm_before
syscheck.sha1_after
syscheck.sha1_before
syscheck.sha256_after
syscheck.sha256_before
syscheck.size_after
syscheck.size_before
syscheck.tags
syscheck.uid_after
syscheck.uid_before
syscheck.uname_after
syscheck.uname_before
syscheck.win_perm_after
sysmon.commandLine
sysmon.creationUtcTime
sysmon.creationutctime
sysmon.currentDirectory
sysmon.destinationHostname
sysmon.destinationIsIpv6
sysmon.dstPortName
sysmon.filecreated
sysmon.hash
sysmon.hashes
sysmon.image
sysmon.imageLoaded
sysmon.initiated
sysmon.integrityLevel
sysmon.logonGuid
sysmon.logonId
sysmon.parentCommandLine
sysmon.parentImage
sysmon.parentProcessGuid
sysmon.parentProcessId
sysmon.previousCreationUtcTime
sysmon.processGuid
sysmon.processId
sysmon.processguid
sysmon.processid
sysmon.signature
sysmon.signed
sysmon.sourceHostname
sysmon.sourceImage
sysmon.sourceIsIpv6
sysmon.srcPortName
sysmon.startFunction
sysmon.startModule
sysmon.state
sysmon.targetImage
sysmon.targetfilename
sysmon.terminalSessionId
sysmon.utctime
system_name
tag
target_file
test
threat_level
time
time_generated
timestamp
timezone
timezone_bias
title
to_level
total_blocked
total_processed
tty
tunnel_id
tunnel_type
type
uid
uri
url
user
user_agent
username
usrName
uuid_for_rule
vers
version
virtual_if
virtual_system
virtual_system_name
vpn_feature_name
xlatedport
xlateds
xlatesport
xlatesrc
zone_name

Oct 10 '20 16:10 myasn1k

Hello,

An alert can have the following fields:

rule
agent
manager
id
cluster
previous_output
srcgeoip
dstgeoip
full_log
syscheck
predecoder
command
decoder
previous_log
data

In turn, these fields have subfields (as shown in the first list you comment on).

I think it's difficult to list all fields allowed in an alert because on the decoding phase you can extract the information you want (they are saved in the data field). The rest of the fields usually have the same subfields although the type of alert should be taken into account (it can come from syscheck, vulnerability detector, logcollector, etc.).

I don't know if this is very helpful. If you give us more information we can try to help you

Regards, Eva

Oct 14 '20 15:10 Lopuiz

Hi @Lopuiz , thanks a lot for your answer!

I agree with the field list you posted except with two fields: srcgeoip and dstgeoip. I can't find those fields anywhere in my alerts. I instead found those (as i just said in wazuh-template.json):

GeoLocation.city_name
GeoLocation.continent_code
GeoLocation.country_code2
GeoLocation.country_code3
GeoLocation.country_name
GeoLocation.ip
GeoLocation.postal_code
GeoLocation.real_region_name
GeoLocation.region_name
GeoLocation.timezone

And also those:

host
input
location
message
offset
program_name
timestamp
title

Are those listed above correct? Or maybe they belong to an old Wazuh version?

And another question; if i understood correctly how Wazuh compose alerts, the various subfields of data field are not pre-defined but are just added to the Wazuh alert "dynamically". I mean that data subfields are extracted from other "engines", and not wazuh ones. So i should analyze all those engines to understand what fields they generate etc.. Am i correct?

I hope i explained more or less myself; thanks a lot for your precious help!

Oct 14 '20 15:10 myasn1k

Regarding GeoLocation fields, to use these fields Wazuh must be compiled using the USE_GEOIP flag. All makefile options here.

I forgot to mention timestamp and location fields. The program_name and hostname are a subfield of predecoder. The rest of the fields of your second list seems to be dynamic fields.

Modules like syscheck, vulnerability detector, openscap integration, etc. have their decoding fields (and I can find in the elastic template). But, yes, you should analyze all those engines. It's good to extract all decoder fields for the Wazuh ruleset to map them (as you did), but users can create their ruleset, or windows event and JSON events can have different fields.

Oct 16 '20 11:10 Lopuiz

Thanks a lot for your help.

I'm working on this, when everything will be hopefully completed i'll post here a reference.

Oct 20 '20 16:10 myasn1k

wazuh-ruleset wazuh-ruleset copied to clipboard

Wazuh alert fields list

wazuh-ruleset
wazuh-ruleset copied to clipboard