wazuh
wazuh copied to clipboard
Published
20 hours ago •
wazuh
wazuh
Some alerts are generated (alert.json) but not showed in Kibana
| Wazuh version | Component | Install type | Install method | Platform |
|---|---|---|---|---|
| 4.1 >= | Filebeat | Manager | Any | Linux |
Hi Team!,
Some alerts are being generated and stored in the alerts.json file, but they are not being displayed on Kibana.
This sometimes happens because the alerts can't be indexed if they do not fit the expected Filebeat template format.
On the issue #9662, a user reported that the following alerts are being generated by the default ruleset:
{"timestamp":"2021-08-25T04:49:04.283+0000","rule":{"level":5,"description":"Zeek: SSH Connection","id":"66001","firedtimes":89,"mail":false,"groups":["zeek","ids"]},"agent":{"id":"012","name":"liveness.server","ip":"172.31.21.152"},"manager":{"name":"wazuh-manager"},"id":"1629866944.15751292","full_log":"{\"ts\":1629866937.6732931,\"uid\":\"CbZm0X3Ntova265R3g\",\"id.orig_h\":\"176.111.173.85\",\"id.orig_p\":17962,\"id.resp_h\":\"172.31.21.152\",\"id.resp_p\":22,\"auth_attempts\":0,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh_0.9.5\",\"bro_engine\":\"SSH\"}","decoder":{"name":"json"},"data":{"ts":"1629866937.673293","uid":"CbZm0X3Ntova265R3g","id":{"orig_h":"176.111.173.85","orig_p":"17962","resp_h":"172.31.21.152","resp_p":"22"},"auth_attempts":"0","direction":"INBOUND","client":"SSH-2.0-libssh_0.9.5","bro_engine":"SSH"},"location":"/usr/local/zeek/logs/current/ssh.log"}
{"timestamp":"2021-08-25T04:49:08.288+0000","rule":{"level":5,"description":"Zeek: Connection detail","id":"66004","firedtimes":545,"mail":false,"groups":["zeek","ids"]},"agent":{"id":"012","name":"liveness.server","ip":"172.31.21.152"},"manager":{"name":"wazuh-manager"},"id":"1629866948.15751907","full_log":"{\"ts\":1629866941.511791,\"uid\":\"CYv7Rk33iFIqKurOfc\",\"id.orig_h\":\"107.189.31.98\",\"id.orig_p\":59480,\"id.resp_h\":\"172.31.21.152\",\"id.resp_p\":22,\"proto\":\"tcp\",\"duration\":0.31515789031982422,\"orig_bytes\":0,\"resp_bytes\":0,\"conn_state\":\"SH\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"ScAF\",\"orig_pkts\":5,\"orig_ip_bytes\":268,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"bro_engine\":\"CONN\"}","decoder":{"name":"json"},"data":{"ts":"1629866941.511791","uid":"CYv7Rk33iFIqKurOfc","id":{"orig_h":"107.189.31.98","orig_p":"59480","resp_h":"172.31.21.152","resp_p":"22"},"proto":"tcp","duration":"0.315158","orig_bytes":"0","resp_bytes":"0","conn_state":"SH","local_orig":"false","local_resp":"true","missed_bytes":"0","history":"ScAF","orig_pkts":"5","orig_ip_bytes":"268","resp_pkts":"0","resp_ip_bytes":"0","bro_engine":"CONN"},"location":"/usr/local/zeek/logs/current/conn.log"}
{"timestamp":"2021-08-25T04:49:14.093+0000","rule":{"level":5,"description":"Zeek: Connection detail","id":"66004","firedtimes":546,"mail":false,"groups":["zeek","ids"]},"agent":{"id":"003","name":"esign.kycaml.systems","ip":"172.31.9.38"},"manager":{"name":"wazuh-manager"},"id":"1629866954.15752818","full_log":"{\"ts\":1629866952.767386,\"uid\":\"CpTBQ1aO5afQRWU26\",\"id.orig_h\":\"172.31.9.38\",\"id.orig_p\":35688,\"id.resp_h\":\"52.95.16.182\",\"id.resp_p\":443,\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"C\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"bro_engine\":\"CONN\"}","decoder":{"name":"json"},"data":{"ts":"1629866952.767386","uid":"CpTBQ1aO5afQRWU26","id":{"orig_h":"172.31.9.38","orig_p":"35688","resp_h":"52.95.16.182","resp_p":"443"},"proto":"tcp","conn_state":"OTH","local_orig":"true","local_resp":"false","missed_bytes":"0","history":"C","orig_pkts":"0","orig_ip_bytes":"0","resp_pkts":"0","resp_ip_bytes":"0","bro_engine":"CONN"},"location":"/usr/local/zeek/logs/current/conn.log"}
Filebeat collects them, but they are not being indexed:
2021-08-27T13:36:23.221Z WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc04258758bc036ad, ext:165343414356, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"4dcb71b0-1628-4491-aefd-10910ed5a1c6","hostname":"manager","id":"21a55aae-0516-4eb7-aee7-86f0e8761c26","name":"manager","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"manager"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":7347},"message":"{\"timestamp\":\"2021-08-25T04:49:04.283+0000\",\"rule\":{\"level\":5,\"description\":\"Zeek: SSH Connection\",\"id\":\"66001\",\"firedtimes\":89,\"mail\":false,\"groups\":[\"zeek\",\"ids\"]},\"agent\":{\"id\":\"012\",\"name\":\"liveness.server\",\"ip\":\"172.31.21.152\"},\"manager\":{\"name\":\"wazuh-manager\"},\"id\":\"1629866944.15751292\",\"full_log\":\"{\\\"ts\\\":1629866937.6732931,\\\"uid\\\":\\\"CbZm0X3Ntova265R3g\\\",\\\"id.orig_h\\\":\\\"176.111.173.85\\\",\\\"id.orig_p\\\":17962,\\\"id.resp_h\\\":\\\"172.31.21.152\\\",\\\"id.resp_p\\\":22,\\\"auth_attempts\\\":0,\\\"direction\\\":\\\"INBOUND\\\",\\\"client\\\":\\\"SSH-2.0-libssh_0.9.5\\\",\\\"bro_engine\\\":\\\"SSH\\\"}\",\"decoder\":{\"name\":\"json\"},\"data\":{\"ts\":\"1629866937.673293\",\"uid\":\"CbZm0X3Ntova265R3g\",\"id\":{\"orig_h\":\"176.111.173.85\",\"orig_p\":\"17962\",\"resp_h\":\"172.31.21.152\",\"resp_p\":\"22\"},\"auth_attempts\":\"0\",\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh_0.9.5\",\"bro_engine\":\"SSH\"},\"location\":\"/usr/local/zeek/logs/current/ssh.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::67161127-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000462a90), Source:"/var/ossec/logs/alerts/alerts.json", Offset:8241, Timestamp:time.Time{wall:0xc042584ec3e3c18f, ext:10211525922, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x400cc27, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.id] of type [keyword] in document with id 'NM_Th3sBkjI4v_RsZDGv'. Preview of field's value: '{orig_p=17962, resp_h=172.31.21.152, orig_h=176.111.173.85, resp_p=22}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:215"}}
2021-08-27T13:36:23.221Z WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc04258758bc4b3a5, ext:165343708492, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"4dcb71b0-1628-4491-aefd-10910ed5a1c6","hostname":"manager","id":"21a55aae-0516-4eb7-aee7-86f0e8761c26","name":"manager","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"manager"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":8241},"message":"{\"timestamp\":\"2021-08-25T04:49:08.288+0000\",\"rule\":{\"level\":5,\"description\":\"Zeek: Connection detail\",\"id\":\"66004\",\"firedtimes\":545,\"mail\":false,\"groups\":[\"zeek\",\"ids\"]},\"agent\":{\"id\":\"012\",\"name\":\"liveness.server\",\"ip\":\"172.31.21.152\"},\"manager\":{\"name\":\"wazuh-manager\"},\"id\":\"1629866948.15751907\",\"full_log\":\"{\\\"ts\\\":1629866941.511791,\\\"uid\\\":\\\"CYv7Rk33iFIqKurOfc\\\",\\\"id.orig_h\\\":\\\"107.189.31.98\\\",\\\"id.orig_p\\\":59480,\\\"id.resp_h\\\":\\\"172.31.21.152\\\",\\\"id.resp_p\\\":22,\\\"proto\\\":\\\"tcp\\\",\\\"duration\\\":0.31515789031982422,\\\"orig_bytes\\\":0,\\\"resp_bytes\\\":0,\\\"conn_state\\\":\\\"SH\\\",\\\"local_orig\\\":false,\\\"local_resp\\\":true,\\\"missed_bytes\\\":0,\\\"history\\\":\\\"ScAF\\\",\\\"orig_pkts\\\":5,\\\"orig_ip_bytes\\\":268,\\\"resp_pkts\\\":0,\\\"resp_ip_bytes\\\":0,\\\"bro_engine\\\":\\\"CONN\\\"}\",\"decoder\":{\"name\":\"json\"},\"data\":{\"ts\":\"1629866941.511791\",\"uid\":\"CYv7Rk33iFIqKurOfc\",\"id\":{\"orig_h\":\"107.189.31.98\",\"orig_p\":\"59480\",\"resp_h\":\"172.31.21.152\",\"resp_p\":\"22\"},\"proto\":\"tcp\",\"duration\":\"0.315158\",\"orig_bytes\":\"0\",\"resp_bytes\":\"0\",\"conn_state\":\"SH\",\"local_orig\":\"false\",\"local_resp\":\"true\",\"missed_bytes\":\"0\",\"history\":\"ScAF\",\"orig_pkts\":\"5\",\"orig_ip_bytes\":\"268\",\"resp_pkts\":\"0\",\"resp_ip_bytes\":\"0\",\"bro_engine\":\"CONN\"},\"location\":\"/usr/local/zeek/logs/current/conn.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::67161127-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000462a90), Source:"/var/ossec/logs/alerts/alerts.json", Offset:9484, Timestamp:time.Time{wall:0xc042584ec3e3c18f, ext:10211525922, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x400cc27, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.id] of type [keyword] in document with id 'Nc_Th3sBkjI4v_RsZDGv'. Preview of field's value: '{orig_p=59480, resp_h=172.31.21.152, orig_h=107.189.31.98, resp_p=22}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:403"}}
2021-08-27T13:36:23.221Z WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc04258758bc795b8, ext:165343897440, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"4dcb71b0-1628-4491-aefd-10910ed5a1c6","hostname":"manager","id":"21a55aae-0516-4eb7-aee7-86f0e8761c26","name":"manager","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"manager"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":9484},"message":"{\"timestamp\":\"2021-08-25T04:49:14.093+0000\",\"rule\":{\"level\":5,\"description\":\"Zeek: Connection detail\",\"id\":\"66004\",\"firedtimes\":546,\"mail\":false,\"groups\":[\"zeek\",\"ids\"]},\"agent\":{\"id\":\"003\",\"name\":\"esign.kycaml.systems\",\"ip\":\"172.31.9.38\"},\"manager\":{\"name\":\"wazuh-manager\"},\"id\":\"1629866954.15752818\",\"full_log\":\"{\\\"ts\\\":1629866952.767386,\\\"uid\\\":\\\"CpTBQ1aO5afQRWU26\\\",\\\"id.orig_h\\\":\\\"172.31.9.38\\\",\\\"id.orig_p\\\":35688,\\\"id.resp_h\\\":\\\"52.95.16.182\\\",\\\"id.resp_p\\\":443,\\\"proto\\\":\\\"tcp\\\",\\\"conn_state\\\":\\\"OTH\\\",\\\"local_orig\\\":true,\\\"local_resp\\\":false,\\\"missed_bytes\\\":0,\\\"history\\\":\\\"C\\\",\\\"orig_pkts\\\":0,\\\"orig_ip_bytes\\\":0,\\\"resp_pkts\\\":0,\\\"resp_ip_bytes\\\":0,\\\"bro_engine\\\":\\\"CONN\\\"}\",\"decoder\":{\"name\":\"json\"},\"data\":{\"ts\":\"1629866952.767386\",\"uid\":\"CpTBQ1aO5afQRWU26\",\"id\":{\"orig_h\":\"172.31.9.38\",\"orig_p\":\"35688\",\"resp_h\":\"52.95.16.182\",\"resp_p\":\"443\"},\"proto\":\"tcp\",\"conn_state\":\"OTH\",\"local_orig\":\"true\",\"local_resp\":\"false\",\"missed_bytes\":\"0\",\"history\":\"C\",\"orig_pkts\":\"0\",\"orig_ip_bytes\":\"0\",\"resp_pkts\":\"0\",\"resp_ip_bytes\":\"0\",\"bro_engine\":\"CONN\"},\"location\":\"/usr/local/zeek/logs/current/conn.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::67161127-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000462a90), Source:"/var/ossec/logs/alerts/alerts.json", Offset:10593, Timestamp:time.Time{wall:0xc042584ec3e3c18f, ext:10211525922, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x400cc27, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.id] of type [keyword] in document with id 'Ns_Th3sBkjI4v_RsZDGv'. Preview of field's value: '{orig_p=35688, resp_h=52.95.16.182, orig_h=172.31.9.38, resp_p=443}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:345"}}
This is because of the data.id field of the alert (field id obtained in the decoding stage) not being a string, which is the data type expected by the Filbeat template.
Similar problems have been detected in our google group with the timestamp field, as for this field needs to be a date.
Regards, Julian
Hi, just wondering if there's been any progress on this. I too am trying to integrate Zeek logs with Wazuh, and running into the exact issue mentioned in #9962.
Hi @mttaggart,
We have not yet moved forward with these particular issues, but we are looking for a comprehensive solution to the template problem. When there will be news you can see them in this same issue
Regards, Julian
for Immediate solution you can change zeek log output:
example for DNS record I change main.zeek in path /zeek/share/zeek/base/protocols/dns/main.zeek
new main.zeek:
##! Base DNS analysis script which tracks and logs DNS queries along with
##! their responses.
@load base/utils/queue
@load ./consts
@load base/protocols/conn/removal-hooks
module DNS;
export {
## The DNS logging stream identifier.
redef enum Log::ID += { LOG };
## A default logging policy hook for the stream.
global log_policy: Log::PolicyHook;
## The record type which contains the column fields of the DNS log.
type Info: record {
## The earliest time at which a DNS protocol message over the
## associated connection is observed.
ts: time &log;
## A unique identifier of the connection over which DNS messages
## are being transferred.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
identifier: conn_id &log;
## The transport layer protocol of the connection.
proto: transport_proto &log;
## A 16-bit identifier assigned by the program that generated
## the DNS query. Also used in responses to match up replies to
## outstanding queries.
trans_id: count &log &optional;
## Round trip time for the query and response. This indicates
## the delay between when the request was seen until the
## answer started.
rtt: interval &log &optional;
## The domain name that is the subject of the DNS query.
query: string &log &optional;
## The QCLASS value specifying the class of the query.
qclass: count &log &optional;
## A descriptive name for the class of the query.
qclass_name: string &log &optional;
## A QTYPE value specifying the type of the query.
qtype: count &log &optional;
## A descriptive name for the type of the query.
qtype_name: string &log &optional;
## The response code value in DNS response messages.
rcode: count &log &optional;
## A descriptive name for the response code value.
rcode_name: string &log &optional;
## The Authoritative Answer bit for response messages specifies
## that the responding name server is an authority for the
## domain name in the question section.
AA: bool &log &default=F;
## The Truncation bit specifies that the message was truncated.
TC: bool &log &default=F;
## The Recursion Desired bit in a request message indicates that
## the client wants recursive service for this query.
RD: bool &log &default=F;
## The Recursion Available bit in a response message indicates
## that the name server supports recursive queries.
RA: bool &log &default=F;
## A reserved field that is usually zero in
## queries and responses.
Z: count &log &default=0;
## The set of resource descriptions in the query answer.
answers: vector of string &log &optional;
## The caching intervals of the associated RRs described by the
## *answers* field.
TTLs: vector of interval &log &optional;
## The DNS query was rejected by the server.
rejected: bool &log &default=F;
## The total number of resource records in a reply message's
## answer section.
total_answers: count &optional;
## The total number of resource records in a reply message's
## answer, authority, and additional sections.
total_replies: count &optional;
## Whether the full DNS query has been seen.
saw_query: bool &default=F;
## Whether the full DNS reply has been seen.
saw_reply: bool &default=F;
};
## An event that can be handled to access the :zeek:type:`DNS::Info`
## record as it is sent to the logging framework.
global log_dns: event(rec: Info);
## This is called by the specific dns_*_reply events with a "reply"
## which may not represent the full data available from the resource
## record, but it's generally considered a summarization of the
## responses.
##
## c: The connection record for which to fill in DNS reply data.
##
## msg: The DNS message header information for the response.
##
## ans: The general information of a RR response.
##
## reply: The specific response information according to RR type/class.
global do_reply: hook(c: connection, msg: dns_msg, ans: dns_answer, reply: string);
## A hook that is called whenever a session is being set.
## This can be used if additional initialization logic needs to happen
## when creating a new session value.
##
## c: The connection involved in the new session.
##
## msg: The DNS message header information.
##
## is_query: Indicator for if this is being called for a query or a response.
global set_session: hook(c: connection, msg: dns_msg, is_query: bool);
## Yields a queue of :zeek:see:`DNS::Info` objects for a given
## DNS message query/transaction ID.
type PendingMessages: table[count] of Queue::Queue;
## Give up trying to match pending DNS queries or replies for a given
## query/transaction ID once this number of unmatched queries or replies
## is reached (this shouldn't happen unless either the DNS server/resolver
## is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
## response is ongoing).
option max_pending_msgs = 50;
## Give up trying to match pending DNS queries or replies across all
## query/transaction IDs once there is at least one unmatched query or
## reply across this number of different query IDs.
option max_pending_query_ids = 50;
## A record type which tracks the status of DNS queries for a given
## :zeek:type:`connection`.
type State: record {
## A single query that hasn't been matched with a response yet.
## Note this is maintained separate from the *pending_queries*
## field solely for performance reasons -- it's possible that
## *pending_queries* contains further queries for which a response
## has not yet been seen, even for the same transaction ID.
pending_query: Info &optional;
## Indexed by query id, returns Info record corresponding to
## queries that haven't been matched with a response yet.
pending_queries: PendingMessages &optional;
## Indexed by query id, returns Info record corresponding to
## replies that haven't been matched with a query yet.
pending_replies: PendingMessages &optional;
};
## DNS finalization hook. Remaining DNS info may get logged when it's called.
global finalize_dns: Conn::RemovalHook;
}
redef record connection += {
dns: Info &optional;
dns_state: State &optional;
};
const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns", $policy=log_policy]);
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports);
}
function new_session(c: connection, trans_id: count): Info
{
local info: Info;
info$ts = network_time();
info$identifier = c$id;
info$uid = c$uid;
info$proto = get_port_transport_proto(c$id$resp_p);
info$trans_id = trans_id;
return info;
}
function log_unmatched_msgs_queue(q: Queue::Queue)
{
local infos: vector of Info;
Queue::get_vector(q, infos);
for ( i in infos )
{
Log::write(DNS::LOG, infos[i]);
}
}
function log_unmatched_msgs(msgs: PendingMessages)
{
for ( trans_id, q in msgs )
{
log_unmatched_msgs_queue(q);
}
clear_table(msgs);
}
function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
{
if ( id !in msgs )
{
if ( |msgs| > max_pending_query_ids )
{
# Throw away all unmatched on assumption they'll never be matched.
log_unmatched_msgs(msgs);
}
msgs[id] = Queue::init();
}
else
{
if ( Queue::len(msgs[id]) > max_pending_msgs )
{
log_unmatched_msgs_queue(msgs[id]);
# Throw away all unmatched on assumption they'll never be matched.
msgs[id] = Queue::init();
}
}
Queue::put(msgs[id], msg);
}
function pop_msg(msgs: PendingMessages, id: count): Info
{
local rval: Info = Queue::get(msgs[id]);
if ( Queue::len(msgs[id]) == 0 )
delete msgs[id];
return rval;
}
hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
{
if ( ! c?$dns_state )
{
local state: State;
c$dns_state = state;
Conn::register_removal_hook(c, finalize_dns);
}
if ( is_query )
{
if ( c$dns_state?$pending_replies && msg$id in c$dns_state$pending_replies &&
Queue::len(c$dns_state$pending_replies[msg$id]) > 0 )
{
# Match this DNS query w/ what's at head of pending reply queue.
c$dns = pop_msg(c$dns_state$pending_replies, msg$id);
}
else
{
# Create a new DNS session and put it in the query queue so
# we can wait for a matching reply.
c$dns = new_session(c, msg$id);
if( ! c$dns_state?$pending_query )
c$dns_state$pending_query = c$dns;
else
{
if( !c$dns_state?$pending_queries )
c$dns_state$pending_queries = table();
enqueue_new_msg(c$dns_state$pending_queries, msg$id, c$dns);
}
}
}
else
{
if ( c$dns_state?$pending_query && c$dns_state$pending_query$trans_id == msg$id )
{
c$dns = c$dns_state$pending_query;
delete c$dns_state$pending_query;
if ( c$dns_state?$pending_queries )
{
# Popping off an arbitrary, unpaired query to set as the
# new fastpath is necessary in order to preserve the overall
# queuing order of any pending queries that may share a
# transaction ID. If we didn't fill c$dns_state$pending_query
# back in, then it's possible a new query would jump ahead in
# the queue of some other pending query since
# c$dns_state$pending_query is filled first if available.
if ( msg$id in c$dns_state$pending_queries &&
Queue::len(c$dns_state$pending_queries[msg$id]) > 0 )
# Prioritize any pending query with matching ID to the one
# that just got paired with a response.
c$dns_state$pending_query = pop_msg(c$dns_state$pending_queries, msg$id);
else
{
# Just pick an arbitrary, unpaired query.
local tid: count &is_assigned;
local found_one = F;
for ( trans_id, q in c$dns_state$pending_queries )
if ( Queue::len(q) > 0 )
{
tid = trans_id;
found_one = T;
break;
}
if ( found_one )
c$dns_state$pending_query = pop_msg(c$dns_state$pending_queries, tid);
}
}
}
else if ( c$dns_state?$pending_queries && msg$id in c$dns_state$pending_queries &&
Queue::len(c$dns_state$pending_queries[msg$id]) > 0 )
{
# Match this DNS reply w/ what's at head of pending query queue.
c$dns = pop_msg(c$dns_state$pending_queries, msg$id);
}
else
{
# Create a new DNS session and put it in the reply queue so
# we can wait for a matching query.
c$dns = new_session(c, msg$id);
if( ! c$dns_state?$pending_replies )
c$dns_state$pending_replies = table();
enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns);
}
}
if ( ! is_query )
{
c$dns$rcode = msg$rcode;
c$dns$rcode_name = base_errors[msg$rcode];
if ( ! c$dns?$total_answers )
c$dns$total_answers = msg$num_answers;
if ( ! c$dns?$total_replies )
c$dns$total_replies = msg$num_answers + msg$num_addl + msg$num_auth;
if ( msg$rcode != 0 && msg$num_queries == 0 )
c$dns$rejected = T;
}
}
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
{
if ( msg$opcode != 0 )
# Currently only standard queries are tracked.
return;
hook set_session(c, msg, ! msg$QR);
}
hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
{
if ( msg$opcode != 0 )
# Currently only standard queries are tracked.
return;
if ( ! msg$QR )
# This is weird: the inquirer must also be providing answers in
# the request, which is not what we want to track.
return;
if ( ans$answer_type == DNS_ANS )
{
if ( ! c$dns?$query )
c$dns$query = ans$query;
c$dns$AA = msg$AA;
c$dns$RA = msg$RA;
if ( ! c$dns?$rtt )
{
c$dns$rtt = network_time() - c$dns$ts;
# This could mean that only a reply was seen since
# we assume there must be some passage of time between
# request and response.
if ( c$dns$rtt == 0secs )
delete c$dns$rtt;
}
if ( reply != "" )
{
if ( ! c$dns?$answers )
c$dns$answers = vector();
c$dns$answers += reply;
if ( ! c$dns?$TTLs )
c$dns$TTLs = vector();
c$dns$TTLs += ans$TTL;
}
}
}
event dns_end(c: connection, msg: dns_msg) &priority=5
{
if ( ! c?$dns )
return;
if ( msg$QR )
c$dns$saw_reply = T;
else
c$dns$saw_query = T;
}
event dns_end(c: connection, msg: dns_msg) &priority=-5
{
if ( c?$dns && c$dns$saw_reply && c$dns$saw_query )
{
Log::write(DNS::LOG, c$dns);
delete c$dns;
}
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
{
if ( msg$opcode != 0 )
# Currently only standard queries are tracked.
return;
c$dns$RD = msg$RD;
c$dns$TC = msg$TC;
c$dns$qclass = qclass;
c$dns$qclass_name = classes[qclass];
c$dns$qtype = qtype;
c$dns$qtype_name = query_types[qtype];
c$dns$Z = msg$Z;
# Decode netbios name queries
# Note: I'm ignoring the name type for now. Not sure if this should be
# worked into the query/response in some fashion.
if ( c$id$resp_p == 137/udp )
{
local decoded_query = decode_netbios_name(query);
if ( |decoded_query| != 0 )
query = decoded_query;
if ( c$dns$qtype_name == "SRV" )
{
# The SRV RFC used the ID used for NetBios Status RRs.
# So if this is NetBios Name Service we name it correctly.
c$dns$qtype_name = "NBSTAT";
}
}
c$dns$query = query;
}
event dns_unknown_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
{
hook DNS::do_reply(c, msg, ans, fmt("<unknown type=%s>", ans$qtype));
}
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
{
hook DNS::do_reply(c, msg, ans, fmt("%s", a));
}
event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec) &priority=5
{
local txt_strings: string = "";
for ( i in strs )
{
if ( i > 0 )
txt_strings += " ";
txt_strings += fmt("TXT %d %s", |strs[i]|, strs[i]);
}
hook DNS::do_reply(c, msg, ans, txt_strings);
}
event dns_SPF_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec) &priority=5
{
local spf_strings: string = "";
for ( i in strs )
{
if ( i > 0 )
spf_strings += " ";
spf_strings += fmt("SPF %d %s", |strs[i]|, strs[i]);
}
hook DNS::do_reply(c, msg, ans, spf_strings);
}
event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
{
hook DNS::do_reply(c, msg, ans, fmt("%s", a));
}
event dns_A6_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
{
hook DNS::do_reply(c, msg, ans, fmt("%s", a));
}
event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) &priority=5
{
hook DNS::do_reply(c, msg, ans, name);
}
event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) &priority=5
{
hook DNS::do_reply(c, msg, ans, name);
}
event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string,
preference: count) &priority=5
{
hook DNS::do_reply(c, msg, ans, name);
}
event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) &priority=5
{
hook DNS::do_reply(c, msg, ans, name);
}
event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa) &priority=5
{
hook DNS::do_reply(c, msg, ans, soa$mname);
}
event dns_WKS_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
{
hook DNS::do_reply(c, msg, ans, "");
}
event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count) &priority=5
{
hook DNS::do_reply(c, msg, ans, target);
}
# TODO: figure out how to handle these
#event dns_EDNS(c: connection, msg: dns_msg, ans: dns_answer)
# {
#
# }
#
#event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
# {
#
# }
# event dns_EDNS_ecs(c: connection, msg: dns_msg, opt: dns_edns_ecs)
# {
#
# }
#
#event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional)
# {
#
# }
event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) &priority=5
{
local s: string;
s = fmt("RRSIG %s %s", rrsig$type_covered,
rrsig$signer_name == "" ? "<Root>" : rrsig$signer_name);
hook DNS::do_reply(c, msg, ans, s);
}
event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) &priority=5
{
local s: string;
s = fmt("DNSKEY %s", dnskey$algorithm);
hook DNS::do_reply(c, msg, ans, s);
}
event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) &priority=5
{
hook DNS::do_reply(c, msg, ans, fmt("NSEC %s %s", ans$query, next_name));
}
event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) &priority=5
{
hook DNS::do_reply(c, msg, ans, "NSEC3");
}
event dns_NSEC3PARAM(c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr) &priority=5
{
hook DNS::do_reply(c, msg, ans, "NSEC3PARAM");
}
event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) &priority=5
{
local s: string;
s = fmt("DS %s %s", ds$algorithm, ds$digest_type);
hook DNS::do_reply(c, msg, ans, s);
}
event dns_BINDS(c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr) &priority=5
{
hook DNS::do_reply(c, msg, ans, "BIND9 signing signal");
}
event dns_SSHFP(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string) &priority=5
{
local s: string;
s = fmt("SSHFP: %s", bytestring_to_hexstr(fingerprint));
hook DNS::do_reply(c, msg, ans, s);
}
event dns_LOC(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr) &priority=5
{
local s: string;
s = fmt("LOC: %d %d %d", loc$size, loc$horiz_pre, loc$vert_pre);
hook DNS::do_reply(c, msg, ans, s);
}
event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
{
if ( c?$dns )
c$dns$rejected = T;
}
hook finalize_dns(c: connection)
{
if ( ! c?$dns_state )
return;
# If Zeek is expiring state, we should go ahead and log all unmatched
# queries and replies now.
if( c$dns_state?$pending_query )
Log::write(DNS::LOG, c$dns_state$pending_query);
if( c$dns_state?$pending_queries )
log_unmatched_msgs(c$dns_state$pending_queries);
if( c$dns_state?$pending_replies )
log_unmatched_msgs(c$dns_state$pending_replies);
}
as you see I change id to identifier new dns.log:
{"ts":"2022-03-14T13:12:43.854682Z","uid":"C7qPUw4ul2cLxqJQq6","identifier.orig_h":"xxx.xxx.xxx.xxx","identifier.orig_p":46396,"identifier.resp_h":"xxx.xxx.xxx.xxx","identifier.resp_p":53,"proto":"udp","trans_id":28037,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false,"bro_engine":"DNS"}
and Wazuh works grate now:
This also affects Wazuh's native Azure integration which can produce alerts such as:
{"timestamp":"2022-05-18T14:36:53.672+0000","rule":{"level":3,"description":"Azure: AD ","id":"87802","firedtimes":1,"mail":false,"groups":["azure"]},"agent":{"id":"000","name":"wazuhmanager"},"manager":{"name":"wazuhmanager"},"id":"1652884613.107394","decoder":{"name":"json"},"data":{"id":"Directory_11111111-1111-1111-1111-111111111111_Y9GLM_86734990","category":"UserManagement","correlationId":"11111111-1111-1111-1111-111111111111","result":"success","activityDisplayName":"Delete user","activityDateTime":"2022-05-18T14:35:30.5989483Z","loggedByService":"Core Directory","operationType":"Delete","initiatedBy":{"app":"null","user":{"id":"11111111-1111-1111-1111-111111111111","displayName":"null","userPrincipalName":"[email protected]","ipAddress":"111.111.111.111","userType":"null","homeTenantId":"null","homeTenantName":"null"}},"targetResources":[{"id":"11111111-1111-1111-1111-111111111111","displayName":null,"type":"User","userPrincipalName":"11111111111111111111111111111111anotheruser_company.com#EXT#@company.onmicrosoft.com","groupType":null,"modifiedProperties":[{"displayName":"Is Hard Deleted","oldValue":null,"newValue":"\"False\""}]}],"additionalDetails":[],"azure_tag":"azure-ad-graph","azure_aad_tag":"azure-active_directory"},"location":"Azure"}
and
{"timestamp":"2022-05-18T07:20:57.015+0000","rule":{"level":3,"description":"Azure: AD ","id":"87802","firedtimes":1,"mail":false,"groups":["azure"]},"agent":{"id":"000","name":"wazuhmanager"},"manager":{"name":"wazuhmanager"},"id":"1652858457.5919","decoder":{"name":"json"},"data":{"id":"Sync_11111111-1111-1111-1111-111111111111_AAAAA_111111111","category":"ProvisioningManagement","correlationId":"11111111-1111-1111-1111-111111111111","result":"success","resultReason":"This app role assignment was imported: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. The app role granted was 11111111-1111-1111-1111-111111111111. It was granted to User 11111111-1111-1111-1111-111111111111.","activityDisplayName":"Other","activityDateTime":"2022-05-17T13:57:31.3486743Z","loggedByService":"Account Provisioning","initiatedBy":{"user":"null","app":{"appId":"null","displayName":"Azure AD Cloud Sync","servicePrincipalId":"null","servicePrincipalName":"null"}},"targetResources":[{"id":"11111111-1111-1111-1111-111111111111","displayName":"Dropbox Business","type":"ServicePrincipal","userPrincipalName":null,"groupType":null,"modifiedProperties":[]},{"id":null,"displayName":"","type":"Other","userPrincipalName":null,"groupType":null,"modifiedProperties":[]}],"additionalDetails":[{"key":"Details","value":"Type: AppRoleAssignment\r\nModification: Add\r\nAnchor: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\nMatching property values: 11111111-1111-1111-1111-111111111111\r\nOriginalSourceEntryType: \r\nReference Change? False\r\nContainsEntitlement? False\r\nTrackingId 11111111-1111-1111-1111-111111111111"},{"key":"ErrorCode","value":""},{"key":"EventName","value":"EntryImportEntitlementGrant"},{"key":"ipaddr","value":null},{"key":"JoiningProperty","value":""},{"key":"oid","value":null},{"key":"SourceAnchor","value":""},{"key":"TargetAnchor","value":""},{"key":"tid","value":null},{"key":"wids","value":null}],"azure_tag":"azure-ad-graph","azure_aad_tag":"azure-active_directory"},"location":"Azure"}
where the object .data.initiatedBy.app can have the forms:
{
"appId": "null",
"displayName": "Azure AD Cloud Sync",
"servicePrincipalId": "null",
"servicePrincipalName": "null"
}
or:
"null"
Resulting in Filebeat providing a log such as:
2022-05-18T14:37:02.257Z WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc0995f0349194a68, ext:26184561991445, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"11111111-1111-1111-1111-111111111111","hostname":"wazuhmanager","id":"11111111-1111-1111-1111-111111111111","name":"wazuhmanager","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuhmanager"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":81305},"message":"{\"timestamp\":\"2022-05-18T14:36:53.672+0000\",\"rule\":{\"level\":3,\"description\":\"Azure: AD \",\"id\":\"87802\",\"firedtimes\":1,\"mail\":false,\"groups\":[\"azure\"]},\"agent\":{\"id\":\"000\",\"name\":\"wazuhmanager\"},\"manager\":{\"name\":\"wazuhmanager\"},\"id\":\"1652884613.107394\",\"decoder\":{\"name\":\"json\"},\"data\":{\"id\":\"Directory_1a1a1111-aaaa-1111-1a1a-11111a11111a_Y9GLM_86734990\",\"category\":\"UserManagement\",\"correlationId\":\"1a1a1111-aaaa-1111-1a1a-11111a11111a\",\"result\":\"success\",\"activityDisplayName\":\"Delete user\",\"activityDateTime\":\"2022-05-18T14:35:30.5989483Z\",\"loggedByService\":\"Core Directory\",\"operationType\":\"Delete\",\"initiatedBy\":{\"app\":\"null\",\"user\":{\"id\":\"1a1a1111-aaaa-1111-1a1a-11111a11111a\",\"displayName\":\"null\",\"userPrincipalName\":\"[email protected]\",\"ipAddress\":\"111.111.111.111\",\"userType\":\"null\",\"homeTenantId\":\"null\",\"homeTenantName\":\"null\"}},\"targetResources\":[{\"id\":\"11111111-1111-1111-1111-111111111111\",\"displayName\":null,\"type\":\"User\",\"userPrincipalName\":\"[email protected]#EXT#@company.onmicrosoft.com\",\"groupType\":null,\"modifiedProperties\":[{\"displayName\":\"Is Hard Deleted\",\"oldValue\":null,\"newValue\":\"\\\"False\\\"\"}]}],\"additionalDetails\":[],\"azure_tag\":\"azure-ad-graph\",\"azure_aad_tag\":\"azure-active_directory\"},\"location\":\"Azure\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::34746843-64768", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0005a96c0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:82570, Timestamp:time.Time{wall:0xc0995ed5003f0bf8, ext:25999413471016, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x21231db, Device:0xfd00}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [data.initiatedBy.app] tried to parse field [app] as object, but found a concrete value"}
And depending on the first type of event seen on a day, the others will not be indexed.
@jnasselle thanks for adding my issue to the list can see it's the same as @jctello described I think.
Would a custom indexer in this case help? Is it something I could read up on and develop to overcome the problem with status expecting a keyword.
This also affects the Microsoft Graph integration added in Wazuh 4.6.0
Event from ossec-alerts.json:
{"timestamp":"2023-12-07T08:39:50.359+0000","rule":{"level":3,"description":"MS Graph message: Alerts that may not be actionable or considered harmful to the network but can drive organizational security awareness on potential security issues.","id":"99585","firedtimes":1,"mail":false,"groups":["ms-graph"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1701938390.15519","decoder":{"name":"json"},"data":{"integration":"ms-graph","ms-graph":{"id":"xxx","providerAlertId":"xxx","incidentId":"336","status":"new","severity":"informational","classification":"null","determination":"null","serviceSource":"microsoftDefenderForEndpoint","detectionSource":"smartScreen","productName":"Microsoft Defender for Endpoint","detectorId":"xxx","tenantId":"xxx","title":"Device tried to access a phishing site","category":"SuspiciousActivity","assignedTo":"null","alertWebUrl":"xxx","incidentWebUrl":"xxx","actorDisplayName":"null","threatDisplayName":"null","threatFamilyName":"null","mitreTechniques":[],"createdDateTime":"2023-12-06T16:04:35.67Z","lastUpdateDateTime":"2023-12-06T16:04:36.77Z","resolvedDateTime":"null","firstActivityDateTime":"2023-12-06T16:04:34.9959476Z","lastActivityDateTime":"2023-12-06T16:04:34.9959476Z","alertPolicyId":"null","additionalData":"null","comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.deviceEvidence","createdDateTime":"2023-12-06T16:04:35.82Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"firstSeenDateTime":"2023-07-04T18:55:02.6289913Z","mdeDeviceId":"xxx","azureAdDeviceId":"xxx","deviceDnsName":"xxx","osPlatform":"iOS","osBuild":1,"version":"Other","healthStatus":"active","riskScore":"informational","rbacGroupId":0,"rbacGroupName":null,"onboardingStatus":"onboarded","defenderAvStatus":"notSupported","ipInterfaces":[],"vmMetadata":null,"loggedOnUsers":[]},{"@odata.type":"#microsoft.graph.security.ipEvidence","createdDateTime":"2023-12-06T16:04:35.82Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"ipAddress":"xxx","countryLetterCode":null}],"resource":"security","relationship":"alerts_v2"}},"location":"ms-graph"}
Log from /var/log/filebeat:
2023-12-07T08:39:55.090Z WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc1547f167962cc2e, ext:74442379452261, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"xxx","hostname":"wazuh-server","id":"xxx","name":"xxx","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":24907},"message":"{\"timestamp\":\"2023-12-07T08:39:50.359+0000\",\"rule\":{\"level\":3,\"description\":\"MS Graph message: Alerts that may not be actionable or considered harmful to the network but can drive organizational security awareness on potential security issues.\",\"id\":\"99585\",\"firedtimes\":1,\"mail\":false,\"groups\":[\"ms-graph\"]},\"agent\":{\"id\":\"000\",\"name\":\"wazuh-server\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1701938390.15519\",\"decoder\":{\"name\":\"json\"},\"data\":{\"integration\":\"ms-graph\",\"ms-graph\":{\"id\":\"xxx\",\"providerAlertId\":\"xxx\",\"incidentId\":\"336\",\"status\":\"new\",\"severity\":\"informational\",\"classification\":\"null\",\"determination\":\"null\",\"serviceSource\":\"microsoftDefenderForEndpoint\",\"detectionSource\":\"smartScreen\",\"productName\":\"Microsoft Defender for Endpoint\",\"detectorId\":\"xxx\",\"tenantId\":\"xxx\",\"title\":\"Device tried to access a phishing site\",\"category\":\"SuspiciousActivity\",\"assignedTo\":\"null\",\"alertWebUrl\":\"xxx\",\"incidentWebUrl\":\"xxx\",\"actorDisplayName\":\"null\",\"threatDisplayName\":\"null\",\"threatFamilyName\":\"null\",\"mitreTechniques\":[],\"createdDateTime\":\"2023-12-06T16:04:35.67Z\",\"lastUpdateDateTime\":\"2023-12-06T16:04:36.77Z\",\"resolvedDateTime\":\"null\",\"firstActivityDateTime\":\"2023-12-06T16:04:34.9959476Z\",\"lastActivityDateTime\":\"2023-12-06T16:04:34.9959476Z\",\"alertPolicyId\":\"null\",\"additionalData\":\"null\",\"comments\":[],\"evidence\":[{\"@odata.type\":\"#microsoft.graph.security.deviceEvidence\",\"createdDateTime\":\"2023-12-06T16:04:35.82Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"firstSeenDateTime\":\"2023-07-04T18:55:02.6289913Z\",\"mdeDeviceId\":\"xxx\",\"azureAdDeviceId\":\"xxx\",\"deviceDnsName\":\"xxx\",\"osPlatform\":\"iOS\",\"osBuild\":1,\"version\":\"Other\",\"healthStatus\":\"active\",\"riskScore\":\"informational\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"onboardingStatus\":\"onboarded\",\"defenderAvStatus\":\"notSupported\",\"ipInterfaces\":[],\"vmMetadata\":null,\"loggedOnUsers\":[]},{\"@odata.type\":\"#microsoft.graph.security.ipEvidence\",\"createdDateTime\":\"2023-12-06T16:04:35.82Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"ipAddress\":\"xxx\",\"countryLetterCode\":null}],\"resource\":\"security\",\"relationship\":\"alerts_v2\"}},\"location\":\"ms-graph\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::790740-2050", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0004d9930), Source:"/var/ossec/logs/alerts/alerts.json", Offset:27601, Timestamp:time.Time{wall:0xc1547f16795548a7, ext:74442378566634, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0xc10d4, Device:0x802}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.ms-graph.resolvedDateTime] of type [date] in document with id 'xxx'. Preview of field's value: 'null'","caused_by":{"type":"illegal_argument_exception","reason":"failed to parse date field [null] with format [strict_date_optional_time||epoch_millis]","caused_by":{"type":"date_time_parse_exception","reason":"Failed to parse with all enclosed parsers"}}}
